Hierarchical group key management approach based on linear geometry

ABSTRACT

A hierarchical group key management approach based on linear geometry is disclosed. The approach includes the following steps: step 1, the central controller selects a finite field F, a mapping parameter f and a constant N for use in the group; the central controller selects a N-dimensional private vector for each subgroup; step 2, the central controller selects a mapping parameter r and maps the private vector to a new set of vectors in the vector space; step 3, the central controller selects a subgroup key for each subgroup and constructs n linear systems of equations, and solves the solution of the linear equation systems, that is, the public vector, and the n sets of public vectors form a public vector; the public vector and the mapping parameter r are broadcasted or multicasted by the central controller to all the subgroup controllers; step 4, each subgroup controller solves the confidential vector of its own, and a set of key vectors is obtained by linear transformation of the confidential vector and the public matrix. This invention is simple and flexible, and is effective against brute-force attacks.

CROSS REFERENCE TO RELATED APPLICATIONS

This is a U.S. National Phase patent application of PCT/CN2010/073318,filed May 27, 2010, which is hereby incorporated by reference in thepresent disclosure in its entirety.

FIELD OF THE INVENTION

The present invention relates to a group key management approach in thenetwork security, and in particular to a hierarchical group keymanagement approach based on linear geometry and the theory oforthogonal vectors.

BACKGROUND OF THE INVENTION

With the rapid development of Internet technology and the popularizationof multicast, group-oriented applications, such as video conference,network games, and video on demand, etc., play more and more importantroles. Secure group communication becomes an important research aspect.The secure group communication with hierarchical access control relatesto a group with a series of subgroups having different accesspermissions, higher level subgroups receive and decrypt the informationsent by its descendant subgroups (direct or indirect), but not viceversa. For the hierarchical access control based on cryptography, thehigher level subgroups can obtain/derive the communication key of itsdescendant subgroups directly or indirectly, while the lower levelsubgroups can not derive the communication keys of its ancestorsubgroups.

Normally, hierarchical access control has the following settings: (1)hierarchical relationship can be represented by Directed Acyclic Graph(DAG); (2) a central controller (CC) is used to manage the hierarchicalrelationship, and calculate and distribute the keys; (3) in the DAG,each node represents a set of users, and each node is called a subgroup;(4) each subgroup has a subgroup controller (SC) for distributing thesubgroup key to each subgroup member; (5) between CC and SC, there is asecure channel for secure communication when the initialization ofsystem or a new subgroup joins in the group; (6) in each subgroup, thereis a secure key management scheme for implementing the key management inthe subgroup.

These days, there are various approaches in the hierarchical accesscontrol. The typical schemes include Akl-Taylor scheme, Lin scheme,Sandhu scheme, Chinese Remainder Theorem (CRT) scheme, etc.

The Akl-Taylor scheme is a key directly dependent scheme based onone-way function. The key of a descendant subgroup is generated by thekey of its ancestor subgroup via the one-way function, and the ancestorsubgroup can calculate the key of its descendant subgroup directly whilethe descendant subgroup can not select the key of its own. The advantageof this scheme is that all the nodes do not need to memorize thehierarchical structure, and only have to store the key of its own. Thedisadvantage of this scheme is that the hierarchical structure isstatic, and a small variation in the structure will result in the updateof all the nodes in the hierarchical structure.

There are also other schemes such as Mackinnon scheme, Chick and Tavaresscheme and so on, which can be regarded as the improvements to theAkl-Taylor scheme.

The Lin scheme is a key indirectly dependent scheme based on one-wayfunction. The key of a descendant subgroup is independent of the key ofits ancestor subgroup, and the ancestor subgroup can derive the key ofits descendant subgroup indirectly. The advantage of this scheme is thatthe descendant subgroups can change the key independently withoutaffecting the key of the other subgroups. The disadvantage of thisscheme is that the subgroups have to memorize the entire hierarchicalstructure, at least all its descendant subgroups. Furthermore, someauxiliary variables for deriving the keys of the descendant subgroupshave to be stored.

The Sandhu scheme is based on the tree structure in which each node hasa name. The root node of the tree selects a key randomly, and the key ofeach other node is obtained by encrypting its name with the key of itsancestor subgroup. A subgroup can obtain the keys of its descendantsubgroups by encryption, while a descendant subgroup can not calculatethe key of its ancestor subgroup. The advantage of this scheme is thateach subgroup only needs to store the information of its own, and thechange of the level of a subgroup will only affect the key update of itsdescendant subgroups. The disadvantage of this scheme is that thesubgroups have to memorize some group information, and at least thegroup information of all its descendant subgroups, and it is onlyadapted for hierarchical model with tree structure.

In the CRT scheme, the hierarchical structure is hidden in a constructedCRT variable by CRT algorithm, and all ancestor subgroups of a subgroupcan calculate the key of this subgroup, while this subgroup can not knowwhich subgroups are its ancestor subgroups. The ancestor subgroups donot know the specific path to the subgroup either, and can onlycalculate its key. This scheme provides good security, but thedisadvantage is that the cost to compute the CRT variable is very large,and it grows proportionally as the number of subgroups increases, andthereby the scalability of the scheme is not good enough.

SUMMARY OF THE INVENTION

It is a first object of the present invention to provide a hierarchicalgroup key management approach based on linear geometry, which isconstructed based on a theory of polynomial function in a vector spaceover a finite field. This approach is simple and flexible, and iseffectively against brute-force attacks.

It is a second object of the present invention to provide a furtherhierarchical group key management approach based on linear geometry,which is constructed based on a further theory of polynomial function ina vector space over a finite field. This approach requires small memory,little computation, high security and is effectively against brute-forceattacks.

The first object of the present invention is achieved by the followingtechnical solution: A hierarchical group key management approach basedon linear geometry, comprises the following steps:

step 1: a central controller CC selects a mapping f and a finite field Ffor use by the group, and all computations in the group are performedover the finite field F; moreover, a constant N is determined by thecentral controller to be used as a upper limit of the number ofsubgroups; the central controller sends the finite field F, the constantN and the mapping f to all subgroup controllers; suppose the group has nsubgroups, the central controller assigns a serial number for eachsubgroup and sends each serial number to each subgroup controller; thecentral controller selects a N-dimensional private vector randomly foreach subgroup, and sends each N-dimensional private vector to eachsubgroup controller correspondingly via secure channel; the subgroupcontrollers receive and store the N-dimensional private vectors from thecentral controller and keep secret, wherein N and n are positiveintegers, and n≦N;

step 2: the central controller selects a mapping parameter r in thefinite field F, and maps the private vectors of all the subgroupcontrollers into a new set of vectors called confidential vectors byusing the mapping f according to the mapping parameter r; if the new setof vectors is linearly dependent, then the mapping parameter isreselected to perform remapping, or return to the step 1 to allow eachsubgroup controller to reselect a private vector, until the new set ofvectors is linearly independent;

step 3: the central controller selects a subgroup key in the finitefield F for each subgroup; the central controller constructs n linearsystems of equations according to the hierarchy relationship of thesubgroups by using the confidential vectors and the subgroup keys, andcalculates the unique solutions of the linear systems of equations whichare called public vectors; the confidential vectors and the publicvectors are subject to the following regulations: (1) the confidentialvectors of lower level nodes are orthogonal to the public vectors ofhigher level nodes, and the inner product is zero; (2) for all thenodes, the inner product of the confidential vector and the publicvector of a current node itself is the group key of the current node;(3) if the higher level node is a parent node or ancestor node of thecurrent node, the inner product of the confidential vector of the higherlevel node and the public vector of the current node is the group key ofthe current node; the inner product of the confidential vector of thehigher level node and the public vector of a descendant node is thegroup key of the descendant node; (4) the nodes without direct norindirect ancestor-descendant relationship with respect to each other cannot derive the keys of the other, and the inner product of theconfidential vector of one node and the public vector of the other nodeis zero; (5) the key of one node can not be derived by the other nodebetween brother nodes, and the inner product of the confidential vectorof one node and the public vector of the other is zero. n sets of publicvectors form a public matrix, the public matrix and the mappingparameter r are broadcasted or multicasted by the central controller toall the subgroup controllers via open channel;

step 4: after receiving the public matrix and the mapping parameter,each subgroup controller maps the private vector of its own to a newvector in a vector space according to the mapping parameter, and solvesthe confidential vector of its own, then a set of key vectors isobtained by the linear transformation of the confidential vector and thepublic matrix. The subgroup controller can obtain the group key of itsown and all its descendant subgroups through the key vector calculatedby itself, while it can not calculate the group keys of its parent groupand ancestor groups; the subgroup controller distributes the calculatedgroup keys to group members.

Preferably, the step 1 is implemented by the following:

the central controller determines a finite field F, a constant N and amapping f, and sends the finite field F, the constant N and the mappingf to all the subgroup controllers; the central controller assigns aserial number SC_(i) to each subgroup controller, and sends the serialnumber SC_(i) to each subgroup controller by broadcasting ormulticasting; the central controller selects a N-dimensional privatevector Z_(i)=(z_(i,1), z_(i,2), . . . , z_(i,N)) randomly for eachsubgroup V_(i) and sends the private vector to the correspondingsubgroup controller SC_(i) via secure channel; each subgroup controllerSC_(i) receives and stores the private vector Z_(i)=(z_(i,1), Z_(i,2), .. . , z_(i,N)) and keeps secret;

Preferably, the step 2 is implemented by the following:

the central controller selects a mapping parameter r in the finite fieldF, and maps the private vectors Z_(i)=(z_(i,1), z_(i,2), . . . ,z_(i,N)) of all the subgroups into a new set of vectors calledconfidential vectors by using the mapping f;

for a subgroup controller with a serial number SC_(i):

x_(i, 1) = f(z_(i, 1)r) x_(i, 2) = f(z_(i, 2)r)…, x_(i, n) = f(z_(i, n), r)

then, the central controller obtains a new set of vectors in the finitefield F:

X₁ = (x_(1, 1), x_(1, 2), … , x_(1, n)), X₂ = (x_(2, 1), x_(2, 2), … , x_(2, n)), … , X_(n) = (x_(n, 1), x_(n, 2), … , x_(n, n))

the central controller judges whether X₁, X₂, . . . , X_(n) are linearlydependent, and if they are linearly dependent, then proceed to the step2, or return to the step 1 to allow the subgroup controller to reselecta private vector until the new set of vectors are linearly independent;or else proceed to step 3 (notice that the linearly independent vectorX₁, X₂, . . . , X_(n) can be easily obtained since r is a randomnumber);

the step 3 is implemented by the following:

the central controller selects a random number for each subgroup in thefinite field F to be used as a key of the subgroup and suppose theselected random numbers are k₁, k₂, . . . , k_(n) wherein k_(i)≠0. Forany subgroup V_(i), let P(i) represent the set of all ancestor nodes ofthe subgroup V_(i). Suppose the public vector A_(i)=(a_(i,1), a_(i,2), .. . , a_(i,n)) is an unknown parameter, then the public vector A_(i) andthe confidential vector X_(j) of each subgroup have the followingrelationship:

$\begin{matrix}{{X_{j} \times A_{i}^{T}} = \left\{ \begin{matrix}{k_{i},} & {{{if}\mspace{14mu} j} = {{i\mspace{14mu}{or}\mspace{14mu} V_{j}} \in {P(i)}}} \\{0,} & {{{if}\mspace{14mu} V_{j}} \notin {{{P(i)}\mspace{14mu}{and}\mspace{14mu} j} \neq i}}\end{matrix} \right.} & (1)\end{matrix}$

the equation (1) has the following meaning: (1) for any subgroup V_(i),suppose its confidential vector is X_(i), the public vector is A_(i) andthe key is k_(i), then X_(i)×A_(i) ^(T)=k_(i); (2) for other subgroupsV_(j) (j=1, . . . , n and j≠i), the confidential vector is representedby X_(j), and if V_(j) is the parent node or grandparent node of V_(i),then X_(j)×A_(i) ^(T)=k_(i), while if V_(J) is not the parent node norgrandparent node of V_(i), then X_(j)×A_(i) ^(T)=0;

from the equation (1): suppose X=(X₁, X₂, . . . , X_(n))^(T),K_(i)=(c_(i,1), c_(i,2), . . . , c_(i,n))^(T),

$c_{i,j} = \left\{ \begin{matrix}{k_{i},} & {{{if}\mspace{14mu} j} = {{i\mspace{14mu}{or}\mspace{14mu} V_{j}} \in {P(i)}}} \\{0,} & {{{{if}\mspace{14mu} V_{j}} \notin {{{P(i)}\mspace{14mu}{and}\mspace{14mu} j} \neq i}},}\end{matrix} \right.$then the equation (1) is converted into:X×A _(i) ^(T) =K _(i)  (2)

Let A=(A₁ ^(T), A₂ ^(T), . . . , A_(n) ^(T)), K=(K₁, K₂, . . . , K_(n)),then for all subgroups V_(i):X×A=K _(i)  (3)

the central controller needs to solve the system of equations (3), andthe system of equations (3) has a unique solution since the linearindependence of X₁, X₂, . . . , X_(n) in the step 2 guarantees thecoefficient matrix determinant |X|≠0, and A is the public matrix solved;

the public matrix A=(A₁ ^(T), A₂ ^(T), . . . , A_(n) ^(T)) and themapping parameter r are broadcasted or multicasted by the centralcontroller to all the subgroup controllers via open channel;

the step 4 is implemented by the following:

each subgroup controller receives the public matrix A=(A₁ ^(T), A₂ ^(T),. . . , A_(n) ^(T)) and the mapping parameter r, and calculatesX_(i)=(x_(i,1), x_(i,2), . . . , x_(i,n)) via the mapping f:

x_(i, 1) = f(z_(i, 1), r) x_(i, 2) = f(z_(i, 2), r)… , x_(i, n) = f(z_(i, n), r)

then calculates:k _(i) =X _(i) ×A _(i) ^(T) =x _(i,1) a _(i,1) +x _(i,2) a _(i,2) + . .. +x _(i,n) a _(i,n)  (4)t _(j) =X _(i) ×A _(j) ^(T) =x _(j,1) a _(i,1) +x _(j,2) a _(i,2) + . .. +x _(j,n) a _(i,n)(j≠i)  (5)

the equation (4) has the following meaning: for any subgroup V_(i),suppose the confidential vector calculated by its subgroup controllerSC_(i) is X_(i) and the public vector received is A_(i), then SC_(i)calculates the group key k_(i)=X_(i)×A_(i) ^(T);

the equation (5) has the following meaning: for any subgroup V_(i),suppose the confidential vector calculated by its subgroup controllerSC_(i) is X_(i), the public vector of other subgroups V_(j) (j=1, . . ., n and j≠i) in the group is represented as A_(j), then SC_(i)calculates the group key t_(j)=X_(i)×A_(j) ^(T) of V_(j), and if V_(j)is the direct or indirect descendant subgroup of V_(i), then t_(j)≠0 andt_(j) is the group key of the subgroup V_(j), while if V_(j) is not thedirect nor indirect descendant subgroup of V_(i), then t_(j)=0, andV_(i) can not calculate the group key of V_(j).

wherein P(j) represents the set of all ancestor nodes of the subgroupV_(i); if V_(i)εP(j), then t_(j)=k_(j), i.e. t_(j) is equal to the groupkey of V_(j); or else, t_(j)=0; each subgroup V_(i) can easily calculateits group key or the group keys of its descendant nodes via theequations (4) and (5);

the subgroup controller SC_(i) distributes the calculated k_(i) andt_(j) (j≠i) to each group member (the specific delivering process isdetermined by the key management scheme in the group).

When ordinary members (not subgroup controllers) apply to join in thesubgroup, the hierarchical group key management approach based on lineargeometry further comprises:

step 5, when ordinary members (not subgroup controllers) request to joinin, suppose the current group has n subgroups, wherein g subgroups havenew members requesting to join in, then the controllers of thesubgroups, where the new users join, send the joining request to thecentral controller (the new members can be allowed simultaneously tojoin in the group by bulk processing), wherein g≦n; repeat the steps 2to 4.

When ordinary members (not subgroup controllers) apply to leave thesubgroup, the hierarchical group key management approach based on lineargeometry further comprises:

step 5, when ordinary members (not subgroup controllers) request toleave the group: suppose the current group has n subgroups, wherein gsubgroups have members requesting to leave, then the controllers of thesubgroups, where users request to leave, send the leaving request to thecentral controller (the update of key can be done by bulk processing),wherein g≦n;

repeat the steps 2 to 4.

When ordinary members (not subgroup controllers) request to join in andordinary members request to leave, the hierarchical group key managementapproach based on linear geometry further comprises:

step 5, when a large number of ordinary members join in and leave, thatis, a large number of new users request to join in some subgroups whilesome members in some subgroups apply to leave, then the controllers ofthe subgroups, where the new users join, send the joining request to thecentral controller, and subgroup controllers which users request toleave send the leaving request to the central controller;

repeat the steps 2 to 4.

A subgroup may be split into new subgroups, and the new subgroups willjoin in the system after the new subgroups select new subgroupcontrollers; the hierarchical group key management approach based onlinear geometry further comprises:

step 5, when new subgroups join in, the central controller assigns aserial number to each subgroup controller and sends the serial number toall the subgroup controllers; meanwhile, the central controller selectsa N-dimensional private vector over the finite field F for each newsubgroup and sends the N-dimensional private vector to the correspondingsubgroup controller via secure channel; the new subgroup controllersreceive the private vectors sent by the central controller and keepsecret; the central controller sends the finite field F, the constant Nand the mapping f to the new subgroup controllers;

repeat the steps 2 to 4.

The deletion or combination of subgroups will cause the leaving ofsubgroup controller members; and the hierarchical group key managementapproach based on linear geometry further comprises:

step 5, when subgroups need to leave, each subgroup member that needs toleave applies to the central group controller for leaving the group; thecentral group controller deletes the private vectors of the leavingsubgroups, and reassigns serial numbers according to the size order ofthe subscripts of the current subgroup members, and sends the serialnumbers to all subgroup controllers by broadcasting or multicasting;

repeat the steps 2 to 4.

When a large number of subgroup controller members join in and a largenumber of subgroup controller members leave simultaneously, thehierarchical group key management approach based on linear geometryfurther comprises:

step 5: when a large number of new subgroup controllers join in and alarge number of subgroup controllers leave simultaneously, each leavingsubgroup controller applies to the central controller for leaving; thecentral controller deletes the private vector of the leaving subgroupcontroller, and reassigns serial numbers for the remaining subgroupcontrollers according to the size order of the subscripts of the currentsubgroup controllers while assigns a serial number for each new subgroupcontroller, then sends the serial numbers to all subgroup controllers;the central controller selects a N-dimensional private vector randomlyover the finite field F for each new joining subgroup, and sends theN-dimensional private vector to the corresponding subgroup controller;the new joining subgroup controllers receive the private vector sent bythe central controller and keep secret; the central controller sends thefinite field F, the constant N and the mapping f to the new joiningsubgroup controllers;

repeat the steps 2 to 4.

When ordinary users and subgroup controller users join in together,and/or ordinary users and subgroup controller users leavesimultaneously, the hierarchical group key management approach based onlinear geometry further comprises:

step 5: when a large number of ordinary users and subgroup controllersjoin in, and/or ordinary users and subgroup controllers leavesimultaneously, each leaving subgroup controller applies to the centralcontroller for leaving; the subgroup controllers which the ordinaryusers join in or leave send a request for updating the key to thecentral controller; the central controller deletes the private vectorsof the leaving controller, and reassigns serial numbers according to thesize order of the subscripts of the current subgroup members whileassigns a serial number to each new joining subgroup controller, andthen sends the serial numbers to all subgroup controllers; the centralcontroller selects a N-dimensional private vector over the finite fieldfor each new joining subgroup, and sends the N-dimensional privatevector to the corresponding subgroup controller via secure channel; thenew joining subgroup controllers receive the private vectors sent by thecentral controller and keep secret; the central controller sends thefinite field F, the constant N and the mapping f to the new joiningsubgroup controllers;

repeat the steps 2 to 4.

The second object of the present invention is achieved by the followingtechnical solution:

A hierarchical group key management approach based on linear geometry,comprises the following steps:

step 1: a central controller CC selects a mapping f and a finite field Ffor use by a group, all computations in the group are performed over thefinite field; a constant m is determined by the central controller; thecentral controller sends the finite field F, the constant m and themapping f to all subgroup controllers; suppose the group has nsubgroups, the central controller assigns a serial number for eachsubgroup and sends each serial numbers to each subgroup controller; thecentral controller selects a m-dimensional private vector and atwo-dimensional private vector randomly for each subgroup, and sendsthem to the corresponding subgroup controller via secure channel; thesubgroup controllers receive and store the m-dimensional private vectorsand the two-dimensional private vectors and keep secret, wherein m and nare positive integers, and 2≦m≦n;

step 2: the central controller selects a mapping parameter r in thefinite field F, and maps the two-dimensional private vectors of all thesubgroup controllers into a new set of vectors by using the mapping faccording to the mapping parameter r, and maps the m-dimensional privatevectors of all the subgroup controllers into a new set of vectors in thevector space by using the mapping f if the new set of vectors islinearly dependent, then the mapping parameter is reselected to performremapping, or return to the step 1 to allow each subgroup controller toreselect a private vector, until the new set of vectors is linearlyindependent; these two new sets of subgroups are called confidentialvectors;

step 3: the central controller selects a subgroup key in the finitefield F for each subgroup, the central controller constructs n linearsystems of equations according to the hierarchy relationship of thesubgroups by using the confidential vectors and the subgroup keys, andthe central controller calculates the unique solutions of the linearsystems of equations which are called public vectors; the confidentialvectors and the public vectors are subject to the following regulations:(1) for all the nodes, the inner product of the m-dimensionalconfidential vector and the public vector of a current node itself isthe group key of the current node; (2) the m-dimensional confidentialvectors of lower level nodes are orthogonal to the public vectors ofhigher level nodes, and the inner product is zero; (3) when the higherlevel node is a parent node or ancestor node of the current node, theinner product of the m-dimensional confidential vector of the higherlevel node and the public vector of all the descendant nodes is theindirect key; the higher level node further calculates the key of thedescendant node via the key and the two-dimensional confidential vectorof the higher level node itself; (4) for nodes without direct norindirect ancestor-descendant relationship with respect to each other,the inner product of the m-dimensional confidential vector of one nodeand the public vector of the other node is zero; (5) the key of one nodecan not be derived by the other node between brother nodes, and theinner product of the confidential vector of one node and the publicvector of the other is zero; n sets of public vectors form a publicmatrix, and the public matrix and the mapping parameter r arebroadcasted or multicasted by the central controller to all the subgroupcontrollers via open channel;

step 4: after receiving the public matrix and the mapping parameter,each subgroup controller maps the two private vectors of its own to twonew vectors i.e. confidential vectors, in a vector space according tothe mapping parameter, and a set of key vectors is derived from lineartransformation of the m-dimensional confidential vector and the publicmatrix, the subgroup controller obtains its group key through the keyvector calculated by itself, and calculates the group keys of descendantsubgroups through the key vector calculated by itself and thetwo-dimensional confidential vector of its own, and the descendantsubgroups can not calculate the group keys of their parent groups andancestor groups; the subgroup controller distributes the group keyscalculated to group members.

Preferably, the step 1 is implemented by the following:

the central controller determines a finite field F, a constant m and amapping f, and sends the finite field F, the constant m and the mappingf to all the subgroup controllers SC_(i); the central controller selectsa m-dimensional private vector Z_(i)=(z_(i,1), z_(i,2), . . . , z_(i,m))and a two-dimensional private vector Y_(i)=(y_(i,1),y_(i,2)) over thefinite filed F for each subgroup, and sends Z_(i) and Y_(i) to thecorresponding subgroup controller SC_(i) via secure channel;

the subgroup controller SC_(i) receives and stores the private vectorsZ_(i) and Y_(i) and keeps secret, the central controller assigns aserial number SC_(i) for each subgroup controller, and sends the serialnumber SC_(i) to all the subgroup controllers by broadcasting ormulticasting, wherein i=1, . . . , n;

the step 2 is implemented by the following:

the central controller selects a mapping parameter r in the finite fieldF randomly, and maps the private vectors Z_(i) of all the subgroups intoa new set of vectors X_(i) by using the mapping f, and maps the privatevectors Y_(i) of all the subgroups into a new set of vectors W_(i),wherein X_(i) and W_(i) are called confidential vectors;

$\begin{matrix}{{{{for}\mspace{14mu}{all}\mspace{14mu}{subgroups}\mspace{14mu}{SC}_{i}},{i = 1},\ldots\;,n,{{{the}\mspace{14mu}{vector}\mspace{14mu} W_{i}} = {{\left( {w_{i,1},w_{i,2}} \right):w_{i,1}} = {f\left( {y_{i,1},r} \right)}}}}{w_{i,2} = {f\left( {y_{i,2},r} \right)}}} & (1) \\{{{{{for}\mspace{14mu} i} = 1},\ldots\;,m,{X_{i} = {{\left( {x_{i,1},\ldots\;,x_{i,m},0,\ldots\;,0} \right):x_{i,1}} = {f\left( {z_{i,1},r} \right)}}}}\ldots{x_{i,m} = {f\left( {z_{i,m},r} \right)}}{{{{Let}\mspace{14mu} x_{i,{m + 1}}} = {\ldots = {x_{i,n} = 0}}};}} & (2) \\{{{{{for}\mspace{14mu} i} = {m + 1}},\ldots\;,n,{X_{i} = \left( {x_{i,1},x_{i,2},\ldots\;,x_{i,{m - 1}},{0\ldots}\;,0_{x_{i,i}},0,\ldots\;,0} \right)}}{x_{i,1} = {f\left( {z_{i,1},r} \right)}}\ldots{x_{i,{m - 1}} = {f\left( {z_{i,{m - 1}},r} \right)}}{x_{i,i} = {f\left( {z_{i,m},r} \right)}}{{{{Let}\mspace{14mu} x_{i,m}} = {\ldots = {x_{i,{i - 1}} = 0}}},{{x_{i,{i + 1}} = {\ldots = {x_{i,n} = 0}}};}}} & (3)\end{matrix}$

then the central controller obtains a set of n-dimensional vectorsconsisting of X_(i) over the finite field F:

X₁ = (x_(1, 1), x_(1, 2), … , x_(1, n))X₂ = (x_(2, 1), x_(2, 2), … , x_(2, n)) …X_(n) = (x_(n, 1), x_(n, 2), … , x_(n, n))

the central controller judges whether X_(i), X₂, . . . , X_(n) arelinearly dependent, and if they are linearly dependent, then proceed tothe step 2 to reselect the mapping parameter and to perform remapping,or return to the step 1 to allow the subgroup controller to reselect aprivate vector until the new set of vectors are linearly independent; orelse proceed to step 3, and it is very easy to obtain a set of vectorX₁, X₂, . . . , X_(n) that are linearly independent, because r is arandom number;

the step 3 is implemented by the following:

the central controller selects a group key k_(i,i), i=1, . . . , n, foreach subgroup; for any subgroup controller SC_(i), i=1, . . . , n,suppose its public vector A_(i)=(a_(i,1), a_(i,2), . . . , a_(i,n)) isan unknown parameter, and C(V_(i)) is used to represent a set of alldescendant groups of the subgroup controller SC_(i), then the publicvector A_(i) and the confidential vector X_(j) of each subgroup have thefollowing relationship:X _(i) ×A _(i) ^(T) =k _(i,i)

suppose V_(j)εC(V_(i)), i.e. V_(j)(j=1, . . . , n) is the direct orindirect descendant subgroup of V and j i, then A_(j), X_(i), W_(i) andX_(j) have the following relationship:

$\begin{matrix}\left\{ \begin{matrix}{{X_{j} \times A_{j}^{T}} = k_{j,j}} \\{{X_{i} \times A_{j}^{T}} = k_{i,j}} \\{{W_{i} \times \left( {k_{i,i},k_{i,j}} \right)^{T}} = k_{j,j}}\end{matrix} \right. & (6)\end{matrix}$

it is derived from the equation (6) that:

$\begin{matrix}{{X_{i} \times A_{j}^{T}} = {k_{i,j} = \left\{ \begin{matrix}{k_{i,i},{j = i}} \\{{\left( {k_{j,j} - {w_{i,1}k_{i,i}}} \right)w_{i,2}^{- 1}},{{j \neq {i\bigcap V_{j}}} \in {C\left( V_{i} \right)}}} \\{0,{{j \neq {i\bigcap V_{j}}} \notin {C\left( V_{i} \right)}}}\end{matrix} \right.}} & (7)\end{matrix}$

the equation (7) has the following meaning: for any subgroup V_(i), itsn-dimensional confidential vector is X_(i), two-dimensional confidentialvector is W_(i)=(w_(i,1),w_(i,2)), the public vector is A_(i), and thekey is k_(i,i); the public vectors of all subgroups V_(j)(j=1, . . . ,n) is represented by A_(j)=(a_(j,1), a_(j,2), . . . , a_(j,n)); (1) ifj=i, A_(j)=A_(i) and k_(i,j)=k_(i,i), and at this time, k_(i,j)=X×A_(j)^(T)=X_(i)×A_(i) ^(T)=k_(i,i) is the group key of the subgroup V_(i);(2) if j≠i and V_(j) is the direct or indirect descendant subgroup ofV_(i), the subgroup V_(i) can calculate the group key k_(j,j) of V_(j)through the indirect key k_(i,j), and it can be derived from theequation (6) that X_(i)×A_(j)^(T)=k_(i,j)=(k_(j,j)−w_(i,1)k_(i,i))w_(i,2) ⁻¹; (3) if j≠i and V_(j) isthe direct or indirect descendant subgroup of V_(i), thenk_(i,j)=X_(i)×A_(j) ^(T)=0, and at this time, V_(i) can not calculatethe key k_(j,j) of V_(j) through k_(i,j);

suppose X=(X₁, X₂, . . . , X_(n)), K_(i)=(k_(i,1), k_(i,2), . . . ,k_(i,n))^(T), then the equation (7) is transformed into:X×A ^(T) =K _(i)

let A=(A₁ ^(T), A₂ ^(T), . . . , A_(n) ^(T)), K=(K₁, K₂, . . . , K_(n)),and for all the V_(i), then:X×A=K  (8)

the equation (8) is written in the form of a system of equations:

${\begin{bmatrix}x_{1,1} & x_{1,2} & \ldots & x_{1,n} \\x_{2,1} & x_{2,2} & \ldots & x_{2,n} \\\ldots & \ldots & \ldots & \ldots \\x_{n,1} & x_{n,2} & \ldots & x_{n,n}\end{bmatrix} \times \begin{bmatrix}a_{1,1} & a_{2,1} & \ldots & a_{n,1} \\a_{1,2} & a_{2,2} & \ldots & a_{n,2} \\\ldots & \ldots & \ldots & \ldots \\a_{1,n} & a_{2,n} & \ldots & a_{n,n}\end{bmatrix}} = \begin{bmatrix}k_{1,1} & k_{1,2} & \ldots & k_{1,n} \\k_{2,1} & k_{2,2} & \ldots & k_{2,n} \\\ldots & \ldots & \ldots & \ldots \\k_{n,1} & k_{n,2} & \ldots & k_{n,n}\end{bmatrix}$

the central controller solves the system of equations (8), and thesystem of equations (8) has a unique solution: A=X⁻¹K, since the step 3guarantees the coefficient matrix determinant |X|≠0, and A is the publicmatrix solved; the mapping parameter r and the matrix A=(A₁ ^(T), A₂^(T), . . . , A_(n) ^(T)) are broadcasted or multicasted by the centralcontroller to all the subgroup controllers via open channel;

the step 4 is implemented by the following:

when each subgroup controller receives the public matrix A=(A₁ ^(T), A₂^(T), . . . , A_(n) ^(T)) and the mapping parameter r, each subgroupcontroller SC_(i) calculates W_(i) and X_(i) according to the serialnumber i of its own and the mapping f:

$\begin{matrix}{{{{{for}\mspace{14mu}{all}\mspace{14mu}{the}\mspace{14mu} i} = 1},\ldots\;,n,{W_{i} = \left( {w_{i,1},w_{i,2}} \right)}}{w_{i,1} = {f\left( {y_{i,1},r} \right)}}{w_{i,2} = {f\left( {y_{i,2},r} \right)}}} & (1) \\{{{{{{for}\mspace{14mu} i} = 1},\ldots\;,m,{X_{i} = {{\left( {x_{i,1},\ldots\;,x_{i,m},0,\ldots\;,0} \right):x_{i,1}} = {f\left( {z_{i,1},r} \right)}}}}\ldots x_{i,m} = {f\left( {z_{i,m},r} \right)}}{{{{let}\mspace{14mu} x_{i,{m + 1}}} = {\ldots = {x_{i,n} = 0}}};}} & (2) \\{{{{{{for}\mspace{14mu} i} = {m + 1}},\ldots\;,n,{X_{i} = \left( {x_{i,1},x_{i,2},\ldots\;,x_{i,{m - 1}},{0\ldots}\;,0_{x_{i,i}},0,\ldots\;,0} \right)}}{x_{i,1} = {f\left( {z_{i,1},r} \right)}}\ldots{x_{i,{m - 1}} = {f\left( {z_{i,{m - 1}},r} \right)}}x_{i,i} = {f\left( {z_{i,m},r} \right)}}{{{{let}\mspace{14mu} x_{i,m}} = {\ldots = {x_{i,{i - 1}} = 0}}},{{x_{i,{i + 1}} = {\ldots = {x_{i,n} = 0}}};}}{{{{then}\mspace{14mu}{for}\mspace{14mu}{all}\mspace{14mu}{the}\mspace{14mu} j} = 1},\ldots\;,n,{calculate},}} & (3) \\{k_{i,j} = \left\{ \begin{matrix}{{{X_{i} \times A_{j}^{T}} = {{x_{i,1}a_{j,1}} + \ldots + {x_{i,m}a_{j,m}}}},} & {i \leq m} \\{{{X_{i} \times A_{j}^{T}} = {{x_{i,1}a_{j,1}} + \ldots + {x_{i,{m - 1}}a_{j,{m - 1}}} + x_{i,i}}},a_{j,i},} & {i > m}\end{matrix} \right.} & (9)\end{matrix}$

the equation (9) has the following meaning: for the subgroup V_(i), thesubgroup controller is SC_(i), the n-dimensional confidential vector isX_(i), and the two-dimensional confidential vector isW_(i)=(w_(i,1),w_(i,2)); the public vectors of all the subgroups in thegroup are represented by A_(j)=(a_(j,1), a_(j,2), . . . , a_(j,n)) (j=1,. . . , n); if j=i, then A_(j)=A_(i) and k_(i,j)=k_(i,i), and at thistime, k_(i,j) is the group key of the subgroup V_(i); if j≠i andk_(i,j)≠0, V_(i) can calculate the group key k_(j,j) of V_(j) throughk_(i,j), and V_(j) is the direct or indirect descendant subgroup ofV_(i); if j≠i and k_(i,j)=0, it reveals that V_(i) can not calculate thekey k_(j,j) of V_(j); the calculation of k_(i,j) has the following twosituations: (1) if 1≦i≦m, X_(i)=(x_(i,1), . . . , x_(i,m), 0, . . . ,0), then k_(i,j)=X_(i)×A_(j) ^(T)=x_(i,1)a_(i,1)+ . . . +x_(i,m)a_(j,m);(2) if m+1≦i≦n, X_(i)=(x_(i,1), . . . , x_(i,m-1), 0, . . . , 0,x_(i,i), 0, . . . , 0), then k_(i,j)=X_(i)×A_(j) ^(T)=x_(i,1)a_(i,1)+ .. . +x_(i,m-1)a_(j,m-1)+x_(i,i)a_(j,i).

if j≠i, the subgroup controller SC_(i) continues to calculate the groupkey k_(j,j) of the subgroup V_(j) if k_(i,j)≠0:k _(j,j) =w _(i,1) ×k _(i,i) +w _(i,2) ×k _(i,j)  (10)

each subgroup controller SC_(i) can easily calculate the key k_(i,i) andthe key k_(j,j) of each descendant subgroup via the equations (9) and(10); the subgroup controller SC_(i) distributes the k_(i,i) and k_(j,j)(j=1, . . . , n and j≠i) calculated to each group member.

When ordinary members (not subgroup controllers) request to join thesubgroup, the hierarchical group key management approach based on lineargeometry further comprises:

step 5, when ordinary members (not subgroup controllers) join in:suppose the current group has n subgroups, wherein g subgroups have newmembers requesting to join in, then the controllers of the subgroups,where new users join, send the joining request to the central controller(the new members can be allowed simultaneously to join in the group bybulk processing), wherein g≦n;

repeat the steps 2 to 4.

When ordinary members (not subgroup controllers) request to leave thesubgroup, the hierarchical group key management approach based on lineargeometry further comprises:

step 5, when ordinary members (not subgroup controllers) request toleave the group: suppose the current group has n subgroups, wherein gsubgroups have members requesting to leave, then the controllers of thesubgroups, where users request to leave, send the leaving request to thecentral controller (the update of keys can be done by bulk processing),wherein g≦n;

repeat the steps 2 to 4.

When some ordinary members (not subgroup controllers) request to join inwhile some ordinary members would like to leave, the hierarchical groupkey management approach based on linear geometry further comprises:

step 5, when a large number of ordinary members join in and leave, thatis, a large number of new users request to join in some subgroups whilesome members in some subgroups request to leave, then the controllers ofthe subgroups, where the new users join, send the joining request to thecentral controller, and subgroup controllers which users request toleave send the leaving request to the central controller;

repeat the steps 2 to 4.

When subgroup controller members (bulk) join in, the hierarchical groupkey management approach based on linear geometry further comprises:

step 5: when new subgroups join in, the central controller selects am-dimensional private vector Z_(i)=(z_(i,1), z_(i,2), . . . z_(i,m)) anda two-dimensional private vector Y_(i)=(y_(i,1),y_(i,2)) for each newsubgroup controller over the finite field F, and sends them to thecorresponding subgroup controller; the central controller assigns aserial number to each new subgroup controller, and sends the serialnumber to all subgroup controllers; each new subgroup controllerreceives the m-dimensional private vector and the two-dimensionalprivate vector sent by the central controller and keeps secret; thecentral controller sends the finite field F, the constant N, and themapping f to the new subgroup controller;

repeat the steps 2 to 4.

When subgroup controller members (bulk) leave the group, thehierarchical group key management approach based on linear geometryfurther comprises:

step 5: when subgroups need to leave, each leaving subgroup memberapplies to the central group controller for leaving the group; thecentral group controller deletes the private vectors of the leavingsubgroups, and reassigns serial numbers according to the size order ofthe subscripts of the current subgroup members, and sends the serialnumbers to all subgroup controllers by broadcasting or multicasting;

repeat the steps 2 to 4.

When a large number of subgroup controller members join in and a largenumber of subgroup controller members leave simultaneously, thehierarchical group key management approach based on linear geometryfurther comprises:

step 5: each leaving subgroup controller applies to the centralcontroller for leaving; the central controller deletes the privatevector of the leaving subgroup controller, reassigns serial numbers forthe subgroup controllers according to the size order of the subscriptsof the current subgroup controllers, assigns a serial number to each newsubgroup controller, and sends the subscript serial numbers of allmembers to all subgroup controllers via broadcasting or multicasting;the central controller selects a m-dimensional private vectorZ_(i)=(z_(i,1), z_(i,2), . . . , z_(i,m)) and a two-dimensional vectorY_(i)=(y_(i,1),y_(i,2)) randomly over the finite field F for each newjoining subgroup, and sends them to the corresponding subgroupcontroller via secure channel; the central controller assigns a serialnumber to each new subgroup and sends the serial number to all thesubgroup controllers; each new subgroup controller receives them-dimensional private vector and the two-dimensional private vector sentby the central controller and keeps secret; the central controller sendsthe finite field F, the constant N and the mapping f to the new joiningsubgroup controllers;

repeat the steps 2 to 4.

When a large number of ordinary users and subgroup controllers join in,and/or ordinary users and subgroup controllers leave, the hierarchicalgroup key management approach based on linear geometry furthercomprises:

step 5: when a large number of ordinary users and subgroup controllersjoin in, and/or ordinary users and subgroup controllers leave, eachleaving subgroup controller applies to the central controller forleaving; the controllers of the subgroups, where the ordinary users joinor leave, send a request for updating the key to the central controller;the central controller deletes the private vectors of the leavingsubgroup controllers, and reassigns serial numbers according to the sizeorder of the subscripts of the current subgroup members while assigns aserial number to each new joining subgroup controller, and then sendsthe serial numbers to all subgroup controllers via broadcasting ormulticasting; the central controller selects a m-dimensional privatevector Z_(i)=(z_(i,1), z_(i,2), . . . , z_(i,m)) and a two-dimensionalvector Y_(i)=(y_(i,1),y_(i,2)) randomly over the finite field F for eachnew joining subgroup, and sends them to the corresponding subgroupcontroller via secure channel; the central controller assigns a serialnumber to each new subgroup controller and sends the serial number toall the subgroup controllers; each new subgroup controller receives them-dimensional private vector and the two-dimensional private vector sentby the central controller and keeps secret; the central controller sendsthe finite field F, the constant N and the mapping f to the new subgroupcontrollers;

repeat the steps 2 to 4.

Preferably, said m is 2.

Preferably, suppose that the mapping f is represented by z=f(w,b),wherein w, b, zεF, the main function of the mapping f is randomization,and the mapping f conforms to the following characteristics:

1) it is easy to calculate z=f(w,b) if w and b are known;

2) it is difficult to calculate w if only z and b are known; if only zand w are known, it is also difficult to calculate b from z=f(w,b); itis difficult to calculate w from z_(i)=f(w,b_(i)), though a series ofz_(i) and b_(i) is obtained; and it is also difficult to calculate bfrom z_(i)=f(w_(i),b) though a series of z_(i) and w_(i) are obtained.

Preferably, the hierarchical group key management approach based onlinear geometry further comprises auto update: if no group member joinsin or leaves the group for a preset period of time, then the groupcontroller will update the group key of each subgroup periodically; thegroup controller reselects a new private vector for each subgroup andsends the new private vector to the corresponding subgroup controller,the subgroup controller receives the new private vector and keepssecret; the central controller reselects the mapping parameter and thegroup key of each subgroup, calculates the public matrix, broadcasts ormulticasts the public matrix and the mapping parameter to all subgroupcontrollers by the central controller via open channel.

Compared with the prior art, the present invention has the followingadvantages:

Firstly, the secure channel is required only when the initialization andauto update of the group. During the initialization of the group, thegroup has not yet been established, so the secure channel is needed inorder to ensure the security of the private vector; the auto updateshould update the private vectors of the subgroups, thus this canprevent the system security from being affected by the leakage ofprivate vectors; and during the communication after then, the centralcontroller only needs to send the central vector A and the mappingparameter r to all the group members, and because the vector A and r areboth public, it is not necessary to keep secret, the secure channel isnot required, and hence the open channel can be used for broadcastingand multicasting.

Secondly, the method of the present invention is independent of othercryptography methods. The security of the present invention is based onthe linear geometry theory over the finite field, only simple mappingfunction and basic operation over the finite field is used during theprocess of calculating the group key, and it does not rely on othertraditional cryptography methods including asymmetric cryptography,symmetric cryptography, and hash function. In this way, the possibilitythat the present invention is attacked by other aspects is reduced. Evenif the traditional cryptography methods are broken, the securityprovided by the present invention will not be affected.

Thirdly, the storage and the computation cost of each member and thegroup controller are reduced. The subgroup controller SC_(i) only has tostore the private vector Z_(i) of this subgroup, while the computationamount of each subgroup controller SC_(i) is the amount of calculatingthe group key and the confidential vector X_(i) in step 7.

Fourthly, the computation of the group controller can be easilyparallelized. For the central controller or subgroup controller, if thegroup controller operates on a multi-core processor platform, then it isvery easy to enable the computation of the group controller to beparallel by using the current popular parallel computing library, whichtakes the advantage of the multi-core processor.

Fifthly, the subgroup does not have to know and store the hierarchicalstructure of the group, the computation result will reveal whether asubgroup is a descendant subgroup. Meanwhile, the hierachical structureof the entire group is hidden. Though the ancestor subgroup knowswhether a subgroup is its descendant subgroup, it can not know its pathto the descendant subgroup. This will be useful to improve the securityof the system.

The present invention can provide sufficient security, and the specificsecurity is analysized as follows:

Firstly, forward and backward secrecy is provided. The group key k_(i)is randomly selected, and k_(i) will be changed each time the groupmembers join or leave. The group key k_(i) will be updated periodly, andthe key will be different at different period of time. Therefore, thesecurity is improved, and the forward and backward secrecy can beguaranteed.

Secondly, the approach provides the security guaranty among differentlevels: a higher level node can derive the keys of its direct orindirect descendant nodes (at lower level), but not vice versa. Themapping parameter and the public matrix A are public, and the higherlevel node can calculate the keys of its descendant nodes, but thedescendant node can not know the private vector Z_(i) of its parentnode, and therefore X_(i) can not be calculated, and the key k_(i) ofits parent node can not be calculated either. Thus, this approach canguarantee the security among different levels.

Thirdly, the subgroups without direct nor indirect ancestor-descendantrelationship can not know the subgroup key of each other. The subgroupswithout direct nor indirect ancestor-descendant relationship can notcalculate the confidential vector X_(i) of one another. Establishequations about X_(i), but since there are at most n number of equationsand at least n+1 number of unknown quantity (the key k_(i) of thesubgroup V_(i) is only known by V_(i) and its parent group nodes), thesubgroups without direct nor indirect ancestor-descendant relationshipcan not calculate the key of one another.

Fourthly, members outside the group can not calculate k_(i). In thisapproach, A and r are sent via a public channel, and members outside thegroup can not calculate any k_(i) based on A and r.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of an architecture of group communicationsystem with hierarchical access control according to a first embodimentof the invention;

FIG. 2 is a schematic diagram of a hierarchical access structure of agroup according to the first embodiment of the invention;

FIG. 3 is a schematic diagram of the communication process during theinitialization of the group according to the first embodiment of theinvention;

FIG. 4 is a schematic diagram showing the variables and the relationshipof CC and SC_(i) after the group is established according to the firstembodiment of the invention;

FIG. 5 is a schematic diagram showing that subgroups join in and leavethe group simultaneously according to a second embodiment of theinvention;

FIG. 6 is a schematic diagram showing the communication between CC and anew joining subgroup SC_(i) according to the second embodiment of theinvention;

FIG. 7 is a schematic diagram showing that a new group is establishedafter the group has finished all the operations regarding the joiningand leaving of subgroups according to the second embodiment of theinvention;

FIG. 8 is a schematic diagram showing an architecture of groupcommunication system with hierarchical access control according to athird embodiment of the invention;

FIG. 9 is a schematic diagram showing a hierachical access structure ofthe group according to the third embodiment of the invention;

FIG. 10 is a schematic diagram of the communication process during theinitialization of the group according to the third embodiment of theinvention;

FIG. 11 is a schematic diagram showing the variables and therelationship of CC and SC_(i) after the group is established accordingto the third embodiment of the invention;

FIG. 12 is a schematic diagram that subgroups join in and leave thegroup simultaneously according to a fourth embodiment of the invention;

FIG. 13 is a schematic diagram showing the communication of CC and a newjoining subgroup SC_(i) according to the fourth embodiment of theinvention;

FIG. 14 is a schematic diagram showing that a new group is establishedafter the group has finished all the operations regarding the joiningand leaving of subgroups according to the fourth embodiment of theinvention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The invention will be further described in detail in the followingembodiments accompanying the drawings. It will nevertheless beunderstood that no limitation of the scope of the invention is therebyintended.

Embodiment 1

Referring to FIG. 1, a group communication system with hierarchicalaccess control includes a central controller CC, subgroups V_(i),subgroup controllers SC_(i), and the central controller CC and thesubgroups V_(i) are connected via internet, wherein i=1, 2, . . . , 7.

The group hierarchical access structure is shown in FIG. 2. All thehigher level nodes can derive the keys of its direct or indirectdescendant nodes, while the lower level nodes can not derive the keys ofits ancestor nodes. The nodes without direct nor indirectancestor-descendant relationship can not know the subgroup key of eachother. The key of one node can not be derived by the other node if theyare brother nodes.

As shown in FIG. 3, the system selects the finite field F, and allcomputations in the group are performed over the finite field F;meanwhile, a pseudo-random number generator is selected to be used asf(.,.); for the same initialization input (seed), the pseudo-randomnumber generator should have the same output sequence; atinitialization, let N=10.

Step 1: when the subgroup V_(i) would like to join in the group, thecentral controller CC selects a private vector Z_(i)=(z_(i,1), z_(i,2),. . . , z_(i,10)) (z_(i,j)εF, j=1, . . . , 10) randomly for eachsubgroup V; sends the private vector to the corresponding subgroupcontroller via secure channel, and the subgroup controller stores theprivate vector and keeps secret; CC assigns a serial number SC_(i) forthe subgroup controller of the subgroup V_(i), and the serial number isbroadcasted or multicasted to all the subgroup controllers via publicchannel, wherein i=1, 2, . . . , 7;

Step 2: the central controller CC selects a random number r in thefinite field F to be used as the mapping parameter, and maps all theprivate vectors Z_(i) into a new set of vectors X_(i)=(x_(i,1), x_(i,2),. . . , x_(i,7)) via the mapping f(•,•), wherein i=1, 2, . . . , 7:

x_(1, 1) = f(z_(1, 1), r) x_(1, 2) = f(z_(1, 2), r)… , x_(1, 7) = f(z_(1, 7), r) … , x_(7, 1) = f(z_(7, 1), r)x_(7, 2) = f(z_(7, 2), r) … , x_(7, 7) = f(z_(7, 7), r)

then CC obtains a new set of vectors over the finite field F, calledconfidential vectors:

X₁ = (x_(1, 1), x_(1, 2), … , x_(1, 7))X₂ = (x_(2, 1), x_(2, 2), … , x_(2, 7))… , X₇ = (x_(7, 1), x_(7, 2), … , x_(7, 7))

The central controller CC judges whether X₁, X₂, . . . , X₇ are linearlydependent, and if they are linearly independent, then proceed to thestep 3; otherwise, return to the step 2. (Since r is a random number, itis easy to obtain a set of vectors X₁, X₂, . . . , X₇ that are linearlyindependent).

Step 3: suppose the public vector is A_(i)=(a_(i,1), a_(i,2), . . . ,a_(i,7)); CC selects a key randomly in the finite field F for eachsubgroup controller SC_(i), respectively, k₁, k₂, . . . , k₇, andk_(i)≠0 (i=1, 2, . . . , 7); CC calculates the public matrix A from thefollowing systems of equations, wherein i=1, 2, . . . , 7:

(1) for V₁, only V₁ can derive k₁, and the other V_(i)(i=2, 3, . . . ,7) can not derive k₁. The relationship of each X_(i)(i=1, 2, . . . , 7),the public vector A₁ and the key k₁ is as follows:X ₁ ×A ₁ ^(T) =k ₁X ₂ ×A ₁ ^(T)=0X ₃ ×A ₁ ^(T)=0X ₄ ×A ₁ ^(T)=0X ₅ ×A ₁ ^(T)=0X ₆ ×A ₁ ^(T)=0X ₇ ×A ₁ ^(T)=0

Suppose X=(X₁, X₂, . . . , X₇), K₁=(k₁, 0, 0, 0, 0, 0, 0)^(T), then itcan be written in matrix form as: X×A₁ ^(T)=K₁, while it can also berepresented by a system of equations as follows:

$\left\{ {\begin{matrix}{{{x_{1,1}a_{1,1}} + {x_{1,2}a_{1,2}} + \ldots + {x_{1,7}a_{1,7}}} = k_{1}} \\{{{x_{2,1}a_{1,1}} + {x_{2,2}a_{1,2}} + \ldots + {x_{2,7}a_{1,7}}} = 0} \\{{{x_{3,1}a_{1,1}} + {x_{3,2}a_{1,2}} + \ldots + {x_{3,7}a_{1,7}}} = 0} \\{{{x_{4,1}a_{1,1}} + {x_{4,2}a_{1,2}} + \ldots + {x_{4,7}a_{1,7}}} = 0} \\{{{x_{5,1}a_{1,1}} + {x_{5,2}a_{1,2}} + \ldots + {x_{5,7}a_{1,7}}} = 0} \\{{{x_{6,1}a_{1,1}} + {x_{6,2}a_{1,2}} + \ldots + {x_{6,7}a_{1,7}}} = 0} \\{{{x_{7,1}a_{1,1}} + {x_{7,2}a_{1,2}} + \ldots + {x_{7,7}a_{1,7}}} = 0}\end{matrix}\quad} \right.$

(2) for V₂, both V₁ and V₂ can derive k₂, the other V_(i)(i=3, 4, . . ., 7) can not derive k₂. The relationship of each X_(i) (i=1, 2, . . . ,7), the public vector A₂ and key k₂ is as follows:X ₁ ×A ₂ ^(T) =k ₂X ₂ ×A ₂ ^(T) =k ₂X ₃ ×A ₂ ^(T)=0X ₄ ×A ₂ ^(T)=0X ₅ ×A ₂ ^(T)=0X ₆ ×A ₂ ^(T)=0X ₇ ×A ₂ ^(T)=0

Suppose K₂=(k₂, k₂, 0, 0, 0, 0, 0)^(T), then it can be written in matrixform as: X×A₂ ^(T)=K₂; while it can also be represented by a system ofequations as follows:

$\left\{ {\begin{matrix}{{{x_{1,1}a_{2,1}} + {x_{1,2}a_{2,2}} + \ldots + {x_{1,7}a_{2,7}}} = k_{2}} \\{{{x_{2,1}a_{2,1}} + {x_{2,2}a_{2,2}} + \ldots + {x_{2,7}a_{2,7}}} = k_{2}} \\{{{x_{3,1}a_{2,1}} + {x_{3,2}a_{2,2}} + \ldots + {x_{3,7}a_{2,7}}} = 0} \\{{{x_{4,1}a_{2,1}} + {x_{4,2}a_{2,2}} + \ldots + {x_{4,7}a_{2,7}}} = 0} \\{{{x_{5,1}a_{2,1}} + {x_{5,2}a_{2,2}} + \ldots + {x_{5,7}a_{2,7}}} = 0} \\{{{x_{6,1}a_{2,1}} + {x_{6,2}a_{2,2}} + \ldots + {x_{6,7}a_{2,7}}} = 0} \\{{{x_{7,1}a_{2,1}} + {x_{7,2}a_{2,2}} + \ldots + {x_{7,7}a_{2,7}}} = 0}\end{matrix}\quad} \right.$

(3) for V₃, only V₁ and V₃ can derive k₃, but other V_(i)(i=2, 4, 5, 6,7) can not derive k₃. The relationship of each confidential vector X_(i)(i=1, 2, . . . , 7), the public vector A₃ and the key k₃ is as follows:X ₁ ×A ₃ ^(T) =k ₃X ₂ ×A ₃ ^(T)=0X ₃ ×A ₃ ^(T) =k ₃X ₄ ×A ₃ ^(T)=0X ₅ ×A ₃ ^(T)=0X ₆ ×A ₃ ^(T)=0X ₇ ×A ₃ ^(T)=0

Suppose K₃=(k₃, 0, k₃, 0, 0, 0, 0)^(T), then it can be written in matrixform as: X×A₃ ^(T)=K₃; while it can also be represented by a system ofequations as follows:

$\left\{ {\begin{matrix}{{{x_{1,1}a_{3,1}} + {x_{1,2}a_{3,2}} + \ldots + {x_{1,7}a_{3,7}}} = k_{3}} \\{{{x_{2,1}a_{3,1}} + {x_{2,2}a_{3,2}} + \ldots + {x_{2,7}a_{3,7}}} = 0} \\{{{x_{3,1}a_{3,1}} + {x_{3,2}a_{3,2}} + \ldots + {x_{3,7}a_{3,7}}} = k_{3}} \\{{{x_{4,1}a_{3,1}} + {x_{4,2}a_{3,2}} + \ldots + {x_{4,7}a_{3,7}}} = 0} \\{{{x_{5,1}a_{3,1}} + {x_{5,2}a_{3,2}} + \ldots + {x_{5,7}a_{3,7}}} = 0} \\{{{x_{6,1}a_{3,1}} + {x_{6,2}a_{3,2}} + \ldots + {x_{6,7}a_{3,7}}} = 0} \\{{{x_{7,1}a_{3,1}} + {x_{7,2}a_{3,2}} + \ldots + {x_{7,7}a_{3,7}}} = 0}\end{matrix}\quad} \right.$

(4) for V₄, the key k₄ can be derived by V₁, V₂ and V₄, but can not bederived by the other V_(i)(i=3, 5, 6, 7). The confidential vectorX_(i)(i=1, 2, . . . , 7), the public vector A₄ and the key k₄ have thefollowing relationship:X ₁ ×A ₄ ^(T) =k ₄X ₂ ×A ₄ ^(T) =k ₄X ₃ ×A ₄ ^(T)=0X ₄ ×A ₄ ^(T) =k ₄X ₅ ×A ₄ ^(T)=0X ₆ ×A ₄ ^(T)=0X ₇ ×A ₄ ^(T)=0

Suppose K₄=(k₄, k₄, 0, k₄, 0, 0, 0)^(T), then it can be written inmatrix form as: X×A₄ ^(T)=K₄; while it can also be represented by asystem of equations as follows:

$\left\{ {\begin{matrix}{{{x_{1,1}a_{4,1}} + {x_{1,2}a_{4,2}} + \ldots + {x_{1,7}a_{4,7}}} = k_{4}} \\{{{x_{2,1}a_{4,1}} + {x_{2,2}a_{4,2}} + \ldots + {x_{2,7}a_{4,7}}} = k_{4}} \\{{{x_{3,1}a_{4,1}} + {x_{3,2}a_{4,2}} + \ldots + {x_{3,7}a_{4,7}}} = 0} \\{{{x_{4,1}a_{4,1}} + {x_{4,2}a_{4,2}} + \ldots + {x_{4,7}a_{4,7}}} = k_{4}} \\{{{x_{5,1}a_{4,1}} + {x_{5,2}a_{4,2}} + \ldots + {x_{5,7}a_{4,7}}} = 0} \\{{{x_{6,1}a_{4,1}} + {x_{6,2}a_{4,2}} + \ldots + {x_{6,7}a_{4,7}}} = 0} \\{{{x_{7,1}a_{4,1}} + {x_{7,2}a_{4,2}} + \ldots + {x_{7,7}a_{4,7}}} = 0}\end{matrix}\quad} \right.$

(5) for V₅, the key k₅ can be derived by V₁, V₂ and V₅, but can not bederived by other V_(i)(i=3, 4, 6, 7). The confidential vector X_(i)(i=1, 2, . . . , 7), the public vector A₅ and the key k₅ have thefollowing relationship:X ₁ ×A ₅ ^(T) =k ₅X ₂ ×A ₅ ^(T) =k ₅X ₃ ×A ₅ ^(T)=0X ₄ ×A ₅ ^(T)=0X ₅ ×A ₅ ^(T) =k ₅X ₆ ×A ₅ ^(T)=0X ₇ ×A ₅ ^(T)=0

Suppose K₅=(k₅, k₅, 0, k₅, 0, 0)^(T), then it can be written in matrixform as: X×A₅ ^(T)=K₅; while it can also be represented by a system ofequations as follows:

$\left\{ {\begin{matrix}{{{x_{1,1}a_{5,1}} + {x_{1,2}a_{5,2}} + \ldots + {x_{1,7}a_{5,7}}} = k_{5}} \\{{{x_{2,1}a_{5,1}} + {x_{2,2}a_{5,2}} + \ldots + {x_{2,7}a_{5,7}}} = k_{5}} \\{{{x_{3,1}a_{5,1}} + {x_{3,2}a_{5,2}} + \ldots + {x_{3,7}a_{5,7}}} = 0} \\{{{x_{4,1}a_{5,1}} + {x_{4,2}a_{5,2}} + \ldots + {x_{4,7}a_{5,7}}} = 0} \\{{{x_{5,1}a_{5,1}} + {x_{5,2}a_{5,2}} + \ldots + {x_{5,7}a_{5,7}}} = k_{5}} \\{{{x_{6,1}a_{5,1}} + {x_{6,2}a_{5,2}} + \ldots + {x_{6,7}a_{5,7}}} = 0} \\{{{x_{7,1}a_{5,1}} + {x_{7,2}a_{5,2}} + \ldots + {x_{7,7}a_{5,7}}} = 0}\end{matrix}\quad} \right.$

(6) for V₆, the key k₆ can be derived by V₁, V₃ and V₆, but can not bederived by other V_(i)(i=2, 4, 5, 7). The confidential vector X_(i)(i=1, 2, . . . , 7), the public vector A₆ and the key k₆ have thefollowing relationship:X ₁ ×A ₆ ^(T) =k ₆X ₂ ×A ₆ ^(T)=0X ₃ ×A ₆ ^(T) =k ₆X ₄ ×A ₆ ^(T)=0X ₅ ×A ₆ ^(T)=0X ₆ ×A ₆ ^(T) =k ₆X ₇ ×A ₆ ^(T)=0

Suppose K₆=(k₆, 0, k₆, 0, 0, k₆, 0), then it can be written in matrixform as: X×A₆ ^(T)=K₆; while it can also be represented by a system ofequations as follows:

$\left\{ {\begin{matrix}{{{x_{1,1}a_{6,1}} + {x_{1,2}a_{6,2}} + \ldots + {x_{1,7}a_{6,7}}} = k_{6}} \\{{{x_{2,1}a_{6,1}} + {x_{2,2}a_{6,2}} + \ldots + {x_{2,7}a_{6,7}}} = 0} \\{{{x_{3,1}a_{6,1}} + {x_{3,2}a_{6,2}} + \ldots + {x_{3,7}a_{6,7}}} = k_{6}} \\{{{x_{4,1}a_{6,1}} + {x_{4,2}a_{6,2}} + \ldots + {x_{4,7}a_{6,7}}} = 0} \\{{{x_{5,1}a_{6,1}} + {x_{5,2}a_{6,2}} + \ldots + {x_{5,7}a_{6,7}}} = 0} \\{{{x_{6,1}a_{6,1}} + {x_{6,2}a_{6,2}} + \ldots + {x_{6,7}a_{6,7}}} = k_{6}} \\{{{x_{7,1}a_{6,1}} + {x_{7,2}a_{6,2}} + \ldots + {x_{7,7}a_{6,7}}} = 0}\end{matrix}\quad} \right.$

(7) for V₇, the key k₇ can be derived by V₁, V₃ and V₇, but can not bederived by other V_(i)(i=2, 4, 5, 6). The confidential vector X_(i)(i=1, 2, . . . , 7), the public vector A₇ and the key k₇ have thefollowing relationship:X ₁ ×A ₇ ^(T) =k ₇X ₂ ×A ₇ ^(T)=0X ₃ ×A ₇ ^(T)=0X ₄ ×A ₇ ^(T)=0X ₅ ×A ₇ ^(T)=0X ₆ ×A ₇ ^(T)=0X ₇ ×A ₇ ^(T) =k ₇

Suppose K₇=(k₇, 0, k₇, 0, 0, k₇)^(T), then it can be written in matrixform as: X×A₇ ^(T)=K₇; while it can also be represented by a system ofequations as follows:

$\left\{ {\begin{matrix}{{{x_{1,1}a_{7,1}} + {x_{1,2}a_{7,2}} + \ldots + {x_{1,7}a_{7,7}}} = k_{7}} \\{{{x_{2,1}a_{7,1}} + {x_{2,2}a_{7,2}} + \ldots + {x_{2,7}a_{7,7}}} = 0} \\{{{x_{3,1}a_{7,1}} + {x_{3,2}a_{7,2}} + \ldots + {x_{3,7}a_{7,7}}} = k_{7}} \\{{{x_{4,1}a_{7,1}} + {x_{4,2}a_{7,2}} + \ldots + {x_{4,7}a_{7,7}}} = 0} \\{{{x_{5,1}a_{7,1}} + {x_{5,2}a_{7,2}} + \ldots + {x_{5,7}a_{7,7}}} = 0} \\{{{x_{6,1}a_{7,1}} + {x_{6,2}a_{7,2}} + \ldots + {x_{6,7}a_{7,7}}} = 0} \\{{{x_{7,1}a_{7,1}} + {x_{7,2}a_{7,2}} + \ldots + {x_{7,7}a_{7,7}}} = k_{7}}\end{matrix}\quad} \right.$

(8) Let A=(A₁ ^(T), A₂ ^(T), . . . , A₇ ^(T)); K=(K₁, K₂, . . . , K₇)from the above (1) to (7), it can be obtained that X×A=K, that is,

$\begin{bmatrix}x_{11} & x_{12} & x_{13} & x_{14} & x_{15} & x_{16} & x_{17} \\x_{21} & x_{22} & x_{23} & x_{24} & x_{25} & x_{26} & x_{27} \\x_{31} & x_{32} & x_{33} & x_{34} & x_{35} & x_{36} & x_{37} \\x_{41} & x_{42} & x_{43} & x_{44} & x_{45} & x_{46} & x_{47} \\x_{51} & x_{52} & x_{53} & x_{54} & x_{55} & x_{56} & x_{57} \\x_{61} & x_{62} & x_{63} & x_{64} & x_{65} & x_{66} & x_{67} \\x_{71} & x_{72} & x_{73} & x_{74} & x_{75} & x_{76} & x_{77}\end{bmatrix} \times {\quad{\begin{bmatrix}a_{11} & a_{21} & a_{31} & a_{41} & a_{51} & a_{61} & a_{71} \\a_{12} & a_{22} & a_{32} & a_{42} & a_{52} & a_{62} & a_{72} \\a_{13} & a_{23} & a_{33} & a_{43} & a_{53} & a_{63} & a_{73} \\a_{14} & a_{24} & a_{34} & a_{44} & a_{54} & a_{64} & a_{74} \\a_{15} & a_{25} & a_{35} & a_{45} & a_{55} & a_{65} & a_{75} \\a_{16} & a_{26} & a_{36} & a_{46} & a_{56} & a_{66} & a_{76} \\a_{17} & a_{27} & a_{37} & a_{47} & a_{57} & a_{67} & a_{77}\end{bmatrix} = {\quad\begin{bmatrix}k_{1} & k_{2} & k_{3} & k_{4} & k_{5} & k_{6} & k_{7} \\0 & k_{2} & 0 & k_{4} & k_{5} & 0 & 0 \\0 & 0 & k_{3} & 0 & 0 & k_{6} & k_{7} \\0 & 0 & 0 & k_{4} & 0 & 0 & 0 \\0 & 0 & 0 & 0 & k_{5} & 0 & 0 \\0 & 0 & 0 & 0 & 0 & k_{6} & 0 \\0 & 0 & 0 & 0 & 0 & 0 & k_{7}\end{bmatrix}}}}$

As long as the matrix determinant

${{X} = {{\begin{matrix}x_{11} & x_{12} & \ldots & x_{17} \\x_{21} & x_{22} & \ldots & x_{27} \\\vdots & \vdots & \ddots & \vdots \\x_{71} & x_{72} & \ldots & x_{77}\end{matrix}} \neq 0}},$then A has a unique solution.

The matrix A calculated and the mapping parameter are broadcasted ormulticasted by CC to all the subgroup controllers SC_(i) via publicchannel, wherein i=1, 2, . . . , 7;

Step 4: after all the subgroup controllers receive the public matrix Aand the mapping parameter r, the new vector is calculated through f(•,•) and the mapping parameter r:

For the subgroup controller SC_(i), wherein X_(i)=(X_(i,1), x_(i,2), . .. , x_(i,7)):

x_(i, 1) = f(z_(i, 1), r) x_(i, 2) = f(z_(i, 2), r)… , x_(i, 7) = f(z_(i, 7), r)

Then, k_(i) and t_(j) (j≠i and j=1, . . . , 7) are calculated accordingto the equations (4) and (5), wherein i=1, 2, . . . , 7;

For example, for V₃, the subgroup controller SC₃ receives the matrix Aand the parameter r, and calculates X₃ (X_(3,1), x_(3,2), . . . ,x_(3,7)):

x_(3, 1) = f(z_(3, 1), r) x_(3, 2) = f(z_(3, 2), r)… , x_(3, 7) = f(z_(3, 7), r)

Then, according to the equations (4) and (5), SC₃ calculates k₃ andt_(j) (j=1, 2, 4, 5, 6, 7), Wherein t₆=k₆, t₇=k₇, and the other t_(j)=0(j=1, 2, 4, 5); the subgroup controller SC₃ distributes the calculatedk₃ and t_(j) (j=1, 2, 4, 5, 6, 7) to subgroup members through the groupkey management scheme in the subgroup.

As shown in FIG. 4, a group with hierarchical access control and sevensubgroups is established according to the above steps. The hierarchicalrelationship among subgroups is contained in the confidential vector ofeach subgroup and the public matrix A.

Embodiment 2

When the relationship between the subgroups is changed, as shown in FIG.5: V₆ wants to leave the group while V₈ wants to join in the group as anew subgroup of V₂.

Step 1, as show in FIG. 6, SC₆ sends a leaving request to CC, and CCdeletes the private vector Z₆ after receiving the request; CC selects aprivate vector ZεF^(N) randomly, and sends it to the subgroup controllerof V₈ via secure channel; after receiving the private vector Z, thesubgroup controller of V₈ stores it and keeps secret;

CC reassigns serial numbers for the current subgroup controllers,wherein SC₁ to SC₅ remain unchanged, and the corresponding privatevectors are Z₁ to Z₅ respectively; SC₇ is changed into SC₆, while thecorresponding private vector is changed into Z₆; the serial number of V₈is changed into SC₇ while its corresponding private vector is changedinto Z₇ correspondingly. At this time, the private vector stored by CCis Z_(i)(i=1, 2, . . . , 7), and the hierarchical relationship of thegroup is shown in FIG. 7.

The other steps are identical to the steps 2 to 4 of Embodiment 1. Itshould be noted that: for SC₇, the relationship of each private vectorX_(i)(i=1, 2, . . . , 7), the public vector A₇ and the subgroup key k₇is different from the item (7) of the step 3 of Embodiment 1, and thecorresponding relationship after SC₇ is changed is as follows:

For SC₇, V₃ can no longer derive k₇, and k₇ can be derived by V₁, V₂ andV₇, but can not be derived by the other V_(i)(i=4, 5, 6). Each privatevector X_(i)(i=1, 2, . . . , 7), the public vector A₇ and the key k₇have the following relationship:X ₁ ×A ₇ ^(T) =k ₇X ₂ ×A ₇ ^(T) =k ₇X ₃ ×A ₇ ^(T)=0X ₄ ×A ₇ ^(T)=0X ₅ ×A ₇ ^(T)=0X ₆ ×A ₇ ^(T)=0X ₇ ×A ₇ ^(T) =k ₇

Suppose K₇=(k₇, k₇, 0, 0, 0, 0, k₇)^(T), then it can be written inmatrix form: X×A₇ ^(T)=K₇; while it can also be represented by a systemof equations as follows:

$\quad\left\{ \begin{matrix}{{{x_{1,1}a_{7,1}} + {x_{1,2}a_{7,2}} + \ldots + {x_{1,7}a_{7,7}}} = k_{7}} \\{{{x_{2,1}a_{7,1}} + {x_{2,2}a_{7,2}} + \ldots + {x_{2,7}a_{7,7}}} = k_{7}} \\{{{x_{3,1}a_{7,1}} + {x_{3,2}a_{7,2}} + \ldots + {x_{3,7}a_{7,7}}} = 0} \\{{{x_{4,1}a_{7,1}} + {x_{4,2}a_{7,2}} + \ldots + {x_{4,7}a_{7,7}}} = 0} \\{{{x_{5,1}a_{7,1}} + {x_{5,2}a_{7,2}} + \ldots + {x_{5,7}a_{7,7}}} = 0} \\{{{x_{6,1}a_{7,1}} + {x_{6,2}a_{7,2}} + \ldots + {x_{6,7}a_{7,7}}} = 0} \\{{{x_{7,1}a_{7,1}} + {x_{7,2}a_{7,2}} + \ldots + {x_{7,7}a_{7,7}}} = k_{7}}\end{matrix} \right.$

The other details are identical to the step 3 of the Embodiment 1.

As shown in FIG. 7, the bulk operation of joining and leaving of groupsis done through the above steps, and the new hierarchical relationshipis also reflected in A and each X_(i) (i=1, 2, . . . , 7). Joining orleaving separately can be regarded as a special form of the bulkoperation. During the joining operation of new groups, the securechannel only exists when the new group sends the private vector to CC,and the other groups (original groups) do not need to resend the privatevectors to CC.

Embodiment 3

As shown in FIG. 8, a group communication system with hierarchicalaccess control includes a central controller CC, subgroups V_(i),subgroup controllers SC_(i), wherein the central controller CC and thesubgroup controllers SC_(i) are connected via internet, wherein i=1, 2,. . . , 5.

The group hierarchical access structure is shown in FIG. 9. All thehigher level nodes can derive the keys of its direct or indirectdescendant nodes, while the lower level nodes can not derive the keys ofit ancestor nodes. The subgroups without direct nor indirectancestor-descendant relationship can not know the subgroup key of eachother. The key of one node can not be derived by the other node if theyare brother nodes.

As shown in FIG. 10, the system selects the finite field F, and allcomputations are performed over the finite field F; meanwhile, apseudo-random number generator is selected to be used as f(•,•); for thesame initialization input (seed), the pseudo-random number generatorshould have the same output sequence; at initialization, let m=2.

Step 1, when the subgroup V_(i) wants to join the group, CC selects twoprivate vectors Z_(i)=(z_(i,1),z_(i,2)) and Y_(i)=(y_(i,1),y_(i,2)) foreach subgroup V_(i); sends them to the corresponding subgroup controllervia secure channel, and all the subgroup controllers receive the privatevectors Z_(i) and Y_(i), store them and keep secret; a serial numberSC_(i) for the subgroup controller of the subgroup V_(i) is assigned byCC and broadcasted and multicasted to all the subgroup controllers viapublic channel, wherein i=1, . . . , 5;

Step 2, the central controller CC selects a random number r over thefinte field F to be used as the mapping parameter, and maps all theprivate vectors Z_(i) and Y_(i) respectively into new vectorsX_(i)=(x_(i,1), . . . , x_(i,5)) and W_(i)=(w_(i,1)w_(i,2)), whereini=1, 2, . . . , 5:x _(1,1) =f(z _(1,1) ,r)x _(2,1) =f(z _(2,1) ,r)x _(3,1) =f(z _(3,1),r)x _(4,1) =f(z _(4,1) ,r)x _(5,1) =f(z _(5,1) ,r)x _(1,2) =f(z _(1,2) ,r),x _(2,2) =f(z _(2,2) ,r),x _(3,3) =f(z _(3,2),r),x _(4,4) =f(z _(4,2) ,r),x _(5,5) =f(z _(5,2) ,r);w _(1,1) =f(y _(1,1) ,r)w _(2,1) =f(y _(2,1) ,r)w _(3,1) =f(y _(3,1),r)w _(4,1) =f(y _(4,1) ,r)w _(5,1) =f(y _(5,1) ,r)w _(1,2) =f(y _(1,2) ,r),w _(2,2) =f(y _(2,2) ,r),w _(3,2) =f(y _(3,2),r),w _(4,2) =f(y _(4,2) ,r),w _(5,2) =f(y _(5,2) ,r)

Then, the central controller CC obtains a new set of n-dimensionalvectors X_(i) and a new set of two-dimensional vectors W_(i), whereini=1, . . . , 5, and X_(i) and W_(i) are called confidential vectors:X ₁=(x _(1,1) ,x _(1,2),0,0,0)X ₂=(x _(2,1) ,x _(2,2),0,0,0)X ₃=(x _(3,1),0,x _(3,3),0,0)X ₄=(x _(4,1),0,0,x _(4,4),0)X ₅=(x _(5,1),0,0,0,x _(5,5))W ₁=(w _(1,1) ,w _(1,2))W ₂=(w _(2,1) ,w _(2,2))W ₃=(w _(3,1) ,w _(3,2))W ₄=(w _(4,1) ,w _(4,2))W ₅=(w _(5,1) ,w _(5,2))

The central controller CC judges whether X₁, X₂, . . . , X₅ are linearlydependent, and if they are linearly independent, then proceed to thestep 3; or else, return to step 2; (because r is a random number, it isvery easy to obtain a set of vectors X₁, X₂, . . . , X₅ which arelinearly independent);

Step 3, suppose the private vector of the subgroup V_(i) isA_(i)=(a_(i,1), a_(i,2), . . . , a_(i,5)); the central controller CCselects a key randomly in the finite field F for each group controllerSC_(i), respectively, k_(1,1), k_(2,2), . . . , k_(5,5), and k_(i)≠0(i=1, 2, . . . , 5); the central controller CC calculates the publicmatrix A through a series of systems of equations as follows, whereini=1, 2, . . . , 5:

(1) for V₁, only V₁ can derive k_(1,1), and the other V_(i) (i=2, 3, . .. , 5) can not derive k_(1,1). The relationship of each X_(i)(i=1, 2, .. . , 5), the public vector A₁ and the key k_(1,1) is as follows:X ₁ ×A ₁ ^(T) =k _(1,1)X ₂ ×A ₁ ^(T)=0X ₃ ×A ₁ ^(T)=0X ₄ ×A ₁ ^(T)=0X ₅ ×A ₁ ^(T)=0

suppose X=(X₁, X₂, . . . , X₃), K₁=(k_(1,1), 0, 0, 0, 0)^(T), then itcan be written in matrix form: X×A₁ ^(T)=K₁, while it can also berepresented by a system of equations as follows:

$\quad\left\{ \begin{matrix}{{{x_{1,1}a_{1,1}} + {x_{1,2}a_{1,2}} + 0 + 0 + 0} = k_{1,1}} \\{{{x_{2,1}a_{1,1}} + {x_{2,2}a_{1,2}} + 0 + 0 + 0} = 0} \\{{{x_{3,1}a_{1,1}} + 0 + {x_{3,3}a_{1,3}} + 0 + 0} = 0} \\{{{x_{4,1}a_{1,1}} + 0 + 0 + {x_{4,4}a_{1,4}} + 0} = 0} \\{{{x_{5,1}a_{1,1}} + 0 + 0 + 0 + {x_{5,5}a_{1,5}}} = 0}\end{matrix} \right.$

(2) for V₂, k_(2,2) can be derived by V₁ and V₂, wherein V₁ will derivek_(2,2) via an indirect method, and the other V_(i)(i=3, 4, . . . , 5)can not derive k_(2,2). Each private vector X_(i)(i=1, 2, . . . , 5),the public vector A₂ and the key k_(2,2) have the followingrelationship:X ₁ ×A ₂ ^(T) =k _(1,2)X ₂ ×A ₂ ^(T) =k _(2,2)X ₃ ×A ₂ ^(T)=0X ₄ ×A ₂ ^(T)=0X ₅ ×A ₂ ^(T)=0

wherein, k_(1,2)=(k_(2,2)−w_(1,1)k_(1,1))w_(1,2) ⁻¹

suppose K₂=(k_(1,2), k_(2,2), 0, 0, 0)^(T), then it can be written inmatrix form as: X×A₂ ^(T)=K₂, while it can also be represented by asystem of equations as follows:

$\quad\left\{ \begin{matrix}{{{x_{1,1}a_{2,1}} + {x_{1,2}a_{2,2}} + 0 + 0 + 0} = k_{1,2}} \\{{{x_{2,1}a_{2,1}} + {x_{2,2}a_{2,2}} + 0 + 0 + 0} = k_{2,2}} \\{{{x_{3,1}a_{2,1}} + 0 + {x_{3,3}a_{2,3}} + 0 + 0} = 0} \\{{{x_{4,1}a_{2,1}} + 0 + 0 + {x_{4,4}a_{2,4}} + 0} = 0} \\{{{x_{5,1}a_{2,1}} + 0 + 0 + 0 + {x_{5,5}a_{2,5}}} = 0}\end{matrix} \right.$

wherein, k_(1,2)=(k_(2,2)−w_(1,1)k_(1,1))w_(1,2) ⁻¹

(3) for V₃, only V₁ and V₃ can derive k_(3,3), wherein V₁ will derivek_(3,3) via an indirect method; the other V_(i)(i=2, 4, 5) can notderive k_(3,3). Each private vector X_(i) (i=1, 2, . . . , 5), thepublic vector A₃ and the key k_(3,3) have the following relationship:X ₁ ×A ₃ ^(T) =k _(1,3)X ₂ ×A ₃ ^(T)=0X ₃ ×A ₃ ^(T) =k _(3,3)X ₄ ×A ₃ ^(T)=0X ₅ ×A ₃ ^(T)=0k _(1,3)=(k _(3,3) −w _(1,1) k _(1,1))w _(1,2) ⁻¹

suppose K₃=(k_(1,3), 0, k_(3,3), 0, 0)^(T), then it can be written inmatrix form as: X×A₃ ^(T)=K₃; while it can also be represented by asystem of equations as follows:

$\left\{ {{\begin{matrix}{{{x_{1,1}a_{3,1}} + {x_{1,2}a_{3,2}} + 0 + 0 + 0} = k_{1,3}} \\{{{x_{2,1}a_{3,1}} + {x_{2,2}a_{3,2}} + 0 + 0 + 0} = 0} \\{{{x_{3,1}a_{3,1}} + 0 + {x_{3,3}a_{3,3}} + 0 + 0} = k_{3,3}} \\{{{x_{4,1}a_{3,1}} + 0 + 0 + {x_{4,4}a_{3,4}} + 0} = 0} \\{{{x_{5,1}a_{3,1}} + 0 + 0 + 0 + {x_{5,5}a_{3,5}}} = 0}\end{matrix}k_{1,3}} = {\left( {k_{3,3} - {w_{1,1}k_{1,1}}} \right)w_{1,2}^{- 1}}} \right.$

(4) for V₄, k_(4,4) can be derived by V₁, V₂ and V₄, wherein V₁ and V₂will derive k_(4,4) via an indirect method; the other V_(i)(i=3, 5) cannot derive k_(4,4). Each confidential vector X_(i)(i=1, 2, . . . , 5),the public vector A₄ and the key k_(4,4) have the followingrelationship:X ₁ ×A ₄ ^(T) =k _(1,4)X ₂ ×A ₄ ^(T) =k _(2,4)X ₃ ×A ₄ ^(T)=0X ₄ ×A ₄ ^(T) =k _(4,4)X ₅ ×A ₄ ^(T)=0k _(1,4)=(k _(4,4) −w _(1,1) k _(1,1))w _(1,2) ⁻¹k _(2,4)=(k _(4,4) −w _(2,1) k _(2,2))w _(2,2) ⁻¹

suppose K₄=(k_(1,4), k_(2,4), 0, k_(4,4), 0, 0, 0)^(T), then it can bewritten in matrix form as X×A₄ ^(T)=K₄; while it can also be representedby a system of equations as follows:

$\left\{ {{\begin{matrix}{{{x_{1,1}a_{4,1}} + {x_{1,2}a_{4,2}} + 0 + 0 + 0} = k_{1,4}} \\{{{x_{2,1}a_{4,1}} + {x_{2,2}a_{4,2}} + 0 + 0 + 0} = k_{2,4}} \\{{{x_{3,1}a_{4,1}} + 0 + {x_{3,3}a_{4,3}} + 0 + 0} = 0} \\{{{x_{4,1}a_{4,1}} + 0 + 0 + {x_{4,4}a_{4,4}} + 0} = k_{4,4}} \\{{{x_{5,1}a_{4,1}} + 0 + 0 + 0 + {x_{5,5}a_{4,5}}} = 0}\end{matrix}k_{1,4}} = {{\left( {k_{4,4} - {w_{1,1}k_{1,1}}} \right)w_{1,2}^{- 1}k_{2,4}} = {\left( {k_{4,4} - {w_{2,1}k_{2,2}}} \right)w_{2,2}^{- 1}}}} \right.$

(5) for V₅, k_(5,5) can be derived by V₁, V₃ and V₅, wherein V₁ and V₃will derive k_(5,5) via an indirect method; other V_(i)(i=2, 4) can notderive k_(5,5). Each confidential vector X_(i)(i=1, 2, . . . , 5), thepublic vector A₅ and the key k_(5,5) have the following relationship:X ₁ ×A ₅ ^(T) =k _(1,5)X ₂ ×A ₄ ^(T)=0X ₃ ×A ₅ ^(T) =k _(3,5)X ₄ ×A ₅ ^(T)=0X ₅ ×A ₅ ^(T) =k _(5,5)k _(1,5)=(k _(5,5) −w _(1,1) k _(1,1))w _(1,2) ⁻¹k _(3,5)=(k _(5,5) −w _(3,1) k _(3,3))w _(3,2) ⁻¹

suppose K₅=(k_(1,5), 0, k_(3,5), 0, k_(5,5))^(T), then it can be writtenin matrix form as X×A₅ ^(T)=K₅; while it can also be represented by asystem of equations as follows:

$\begin{matrix}\left\{ {{{\begin{matrix}{{{x_{1,1}a_{5,1}} + {x_{1,2}a_{5,2}} + 0 + 0 + 0} = k_{1,5}} \\{{{x_{2,1}a_{5,1}} + {x_{2,2}a_{5,2}} + 0 + 0 + 0} = 0} \\{{{x_{3,1}a_{5,1}} + 0 + {x_{3,3}a_{5,3}} + 0 + 0} = k_{3,5}} \\{{{x_{4,1}a_{5,1}} + 0 + 0 + {x_{4,4}a_{5,4}} + 0} = 0} \\{{{x_{5,1}a_{5,1}} + 0 + 0 + 0 + {x_{5,5}a_{5,5}}} = k_{5,5}}\end{matrix}k_{1,5}} = {{\left( {k_{5,5} - {w_{1,1}k_{1,1}}} \right)w_{1,2}^{- 1}k_{3,5}} = {{\left( {k_{5,5} - {w_{3,1}k_{3,3}}} \right)w_{3,2}^{- 1}{Let}\mspace{14mu} A} = \left( {A_{1}^{T},A_{2}^{T},\ldots\mspace{14mu},A_{7}^{T}} \right)}}};{K = \left( {K_{1},K_{2},\ldots\mspace{14mu},K_{7}} \right)}} \right. & (6)\end{matrix}$

It can be obtained that X×A=K from the above (1) to (5), that is:

$\begin{bmatrix}x_{11} & x_{12} & 0 & 0 & 0 \\x_{21} & x_{22} & 0 & 0 & 0 \\x_{31} & 0 & x_{33} & 0 & 0 \\x_{41} & 0 & 0 & x_{44} & 0 \\x_{51} & 0 & 0 & 0 & x_{55}\end{bmatrix}{\quad{\begin{bmatrix}a_{11} & a_{21} & a_{31} & a_{41} & a_{51} \\a_{12} & a_{22} & a_{32} & a_{42} & a_{52} \\a_{13} & a_{23} & a_{33} & a_{43} & a_{53} \\a_{14} & a_{24} & a_{34} & a_{44} & a_{54} \\a_{15} & a_{25} & a_{35} & a_{45} & a_{55}\end{bmatrix} = \begin{bmatrix}k_{11} & k_{12} & k_{13} & k_{14} & k_{15} \\0 & k_{22} & 0 & k_{24} & 0 \\0 & 0 & k_{33} & 0 & k_{35} \\0 & 0 & 0 & k_{44} & 0 \\0 & 0 & 0 & 0 & k_{55}\end{bmatrix}}}$

As long as the determinant |X|≠0, then A has a unique solution.

The matrix A calculated and the mapping parameter are broadcasted ormulticasted by CC to all the subgroup controllers SC_(i) via publicchannel, wherein i=1, 2, . . . , 5;

Step 4, after all the subgroup controllers receive the public matrix Aand the mapping parameter r, the new vector is calculated through f(•,•)and the mapping parameter r:

For any subgroup V_(i), its subgroup controller is SC_(i), whereinX_(i)=(x_(i,1), x_(i,2), . . . , x_(i,5)), x_(i,1)=f(z_(i,1),r),x_(i,i)=f(z_(i,2),r), and the other x_(i,j)=0 (j≠1, j≠i and j=1, . . . ,5); W_(i)=(w_(i,1),w_(i,2)), w_(i,1)=f(y_(i,1),r), w_(i,2)=f(y_(i,2),r).All the k_(i,j)(j=1, . . . , 5), that is, k_(i,1), k_(i,2), k_(i,3),k_(i,4), k_(i,5), are calculated according to the equation (9). If j=i,then k_(i,j)=k_(i,i), that is the key of the subgroup. If j≠i andk_(i,j)≠0, then the group key k_(j,j) of the subgroup V_(i) iscalculated according to the equation (10). For example, for V₃,X₃=(x_(3,1), 0, x_(3,3), 0, 0) and W₃=(w_(3,1),w_(3,2)) are calculatedafter SC₃ receives A and r:x _(3,1) =f(z _(3,1) ,r)w _(3,1) =f(y _(3,1) ,r)x _(3,3) =f(z _(3,2) ,r),w _(3,2) =f(y _(3,2) ,r)

k_(3,1)-k_(3,5) are calculated according to the equation (9), whereink_(3,3)≠0 and k_(3,5)≠0. k_(3,3) is the group key of the subgroup V₃;k_(3,5) is the indirect key for SC₃ to calculate the group key k_(5,5)of the subgroup V₅. According to the equation (10),k_(5,5)=w_(3,1)k_(3,3)+w_(3,2)k_(3,5).

The calculated k_(3,3) and k_(5,5) are sent by SC₃ to group membersthrough the key management scheme in the group.

As shown in FIG. 11, a group with hierarchical access control and sevensubgroups is established through the above steps. The hierarchicalrelationship between subgroups is contained in the public vector A andthe private vectors of each subgroup.

Embodiment 4

When the relationship between the subgroups is changed, as shown in FIG.12: V₅ would like to leave the group, and V₆ would like to join in thegroup as a new subgroup of V₂.

Step 1, as shown in FIG. 13, SC₅ sends a request for leaving to CC, andthen CC deletes the private vectors Z₅ and W₅ of V₅ after receiving therequest for leaving; then CC selects a m-dimensional private vector Z₆and a two-dimensional private vector Y₆ randomly over the finite field Fand sends them via secure channel to the subgroup controller of V₆ whichstores them and keeps secret after receiving Z₆ and Y₆.

The central controller CC reassigns the serial numbers for the currentsubgroup controllers, wherein SC₁-SC₄ remain unchanged, and thecorresponding m-dimensional private vectors and the two-dimensionalprivate vectors are Z₁-Z₄ and Y₁-Y₄ respectively. The serial number ofthe subgroup controller of the new joining subgroup V₆ is SC₅, and thecorresponding private vectors are Zs and Y₅. At this time, the privatevectors stored by CC are Z_(i) and Y_(i) (i=1, 2, . . . , 5), and thehierarchical relationship of the group is shown in FIG. 12.

The other steps are identical to the steps 2 to 4 of Embodiment 1. Itshould be noted that for SC₅, the relationship of each private vectorX_(i), W_(i)(i=1, 2, . . . , 5), the public vector A₅ and the subgroupkey k_(5,5) is different from the item (5) of the step 3 of theEmbodiment 1, the other items remain the same and the correspondingrelationship after SC₅ is changed is as follows:

For SC₅, V₅ can derive k_(5,5) directly, while V₁, V₂ and V₇ can derivek_(5,5) indirectly, but V₃ and V₄ can not derive k_(5,5). Each privatevector X_(i)(i=1, 2, . . . , 5), the public vector A₅ and the keyk_(5,5) have the following relationship:X ₁ ×A ₅ ^(T) =k _(1,5)X ₂ ×A ₅ ^(T) =k _(2,5)X ₃ ×A ₅ ^(T)=0X ₄ ×A ₅ ^(T)=0X ₅ ×A ₅ ^(T) =k _(5,5)k _(1,5)=(k _(5,5) −w _(1,1) k _(1,1))w _(1,2) ⁻¹k _(2,5)=(k _(5,5) −w _(2,1) k _(2,2))w _(2,2) ⁻¹

Suppose K₅=(k_(1,5), k_(2,5), 0, 0, k_(5,5))^(T), then it can be writtenin matrix form as X×A₅ ^(T)=K₅; while it can also be represented by asystem of equations as follows:

$\left\{ {{\begin{matrix}{{{x_{1,1}a_{5,1}} + {x_{1,2}a_{5,2}} + 0 + 0 + 0} = k_{1,5}} \\{{{x_{2,1}a_{5,1}} + {x_{2,2}a_{5,2}} + 0 + 0 + 0} = k_{2,5}} \\{{{x_{3,1}a_{5,1}} + 0 + {x_{3,3}a_{5,3}} + 0 + 0} = 0} \\{{{x_{4,1}a_{5,1}} + 0 + 0 + {x_{4,4}a_{5,4}} + 0} = 0} \\{{{x_{5,1}a_{5,1}} + 0 + 0 + 0 + {x_{5,5}a_{5,5}}} = k_{5,5}}\end{matrix}k_{1,5}} = {{\left( {k_{5,5} - {w_{1,1}k_{1,1}}} \right)w_{1,2}^{- 1}k_{2,5}} = {\left( {k_{5,5} - {w_{2,1}k_{2,2}}} \right)w_{2,2}^{- 1}}}} \right.$

The other details are identical to that of the step 3 of the Embodiment3.

As shown in FIG. 14, the bulk operation of joining and leaving of groupsis done through the above steps, and the new hierarchical relationshipis also reflected in the public vector A and each confidential vectorX_(i) (i=1, 2, . . . , 5). Joining or leaving separately can be regardedas a special form of the bulk operation. During the joining operation ofnew groups, the secure channel only exists when the new group sends theprivate vector to CC, and the other groups (original groups) do not needto resend the private vectors to CC.

It should be emphasized that the above-described embodiments can becombined freely. Many variations and modifications, replacements,combinations and simplifications may be made to the above-describedembodiment(s) of the invention without departing substantially from thespirit and principles of the invention. All such modifications andvariations are intended to be included herein within the scope of thisdisclosure and the present invention and protected by the followingclaims.

What is claimed is:
 1. A computer-enabled method of managing group keysbased on linear geometry, comprising the following steps: selecting amapping f and a finite field F, by a central controller, for use by agroup, wherein all computations in the group are performed over thefinite field F; determining a constant N, by the central controller, tobe used as an upper limit of the number of subgroups (n); sending thefinite field F, the constant N and the mapping f, by the centralcontroller, to subgroup controllers; assigning a serial number, by thecentral controller, for each subgroup; sending each serial number, bythe central controller, to each subgroup controller; selecting aN-dimensional private vector randomly, by the central controller, foreach subgroup; sending each N-dimensional private vector, by the centralcontroller, to each subgroup controller correspondingly via securechannel; receiving and storing and keeping secret the N-dimensionalprivate vectors, by the subgroup controllers, from the centralcontroller, wherein N and n are positive integers, and n≦N; selecting amapping parameter r in the finite field F, by the central controller;mapping, by the central controller, the private vectors of all thesubgroup controllers into a new set of vectors called confidentialvectors in a vector space by using the mapping f according to themapping parameter r; upon determining, by the central controller, thatthe new set of vectors is linearly dependent, reselecting, by thecontroller, the mapping parameter to perform remapping or allowing eachsubgroup controller to reselect a private vector, until the new set ofvectors is linearly independent; selecting a subgroup key in the finitefield F for each subgroup, by the central controller; constructing, bythe central controller, n linear systems of equations according to thehierarchy relationship of the subgroups by using the confidentialvectors and the subgroup keys; calculating, by the central controller,the unique solutions of the linear systems of equations which are calledpublic vectors; wherein the confidential vectors and the public vectorsare subject to the following regulations: (1) the confidential vectorsof lower level nodes are orthogonal to the public vectors of higherlevel nodes, and the inner product is zero; (2) for all the nodes, theinner product of the confidential vector and the public vector of acurrent node itself is the group key of the current node; (3) when thehigher level node is a parent node or ancestor node of the current node,the inner product of the confidential vector of the higher level nodeand the public vector of the current node is the group key of thecurrent node; the inner product of the confidential vector of the higherlevel node and the public vector of a descendant node is the group keyof the descendant node (4) for nodes without direct nor indirectancestor-descendant relationship with respect to each other, the innerproduct of the confidential vector of one node and the public vector ofthe other node is zero (5) the key of one node can not be derived by theother node between brother nodes, and the inner product of theconfidential vector of one node and the public vector of the other nodeis zero; broadcasting or multicasting a public matrix and the mappingparameter r, by the central controller, to all the subgroup controllersvia open channel, wherein the public matrix is formed by n sets ofpublic vectors; receiving, by each subgroup controller, the publicmatrix and the mapping parameter; mapping, by each subgroup controller,the private vector of its own to a new vector in a vector spaceaccording to the parameter; solving, by each subgroup controller, aconfidential vector of its own; obtaining, by each subgroup controller,a set of key vectors by computation of the confidential vector and thepublic matrix; obtaining, by the subgroup controller, its group key andthe group keys of descendant subgroups through the key vector calculatedby itself; and distributing, by the subgroup controller, the group keyscalculated to subgroup members.
 2. The computer-enabled method of claim1, wherein the serial number assigned to each subgroup is SC_(i), andwherein the N-dimensional private vector is Z_(i)=(z_(1,i), z_(i,2), . .. , z_(i,N)), and wherein SC_(i) is sent to each subgroup controller viabroadcasting or multicasting, and wherein the mapping of the privatevectors to the confidential vectors using the mapping f comprises: forthe subgroup controller SC_(i): x_(i, 1) = f(z_(i, 1), r)x_(i, 2) = f(z_(i, 2), r) … , x_(i, n) = f(z_(i, n), r) and wherein thenew set of vectors over the finite field F consists of:X₁ = (x_(1, 1), x_(1, 2), … , x_(1, n)), X₂ = (x_(2, 1), x_(2, 2), … , x_(2, n)), … , X_(n) = (x_(n, 1), x_(n, 2), … , x_(n, n))and wherein the subgroup key is a random number k₁, k₂, . . . , k_(n)wherein k≠0; for any subgroup V_(i), and wherein P(i) represents a setof all ancestor nodes of the subgroup V_(i) and the vectorA_(i)=(a_(i,1), a_(i,2), . . . , a_(i,n)) is an unknown parameter, andwherein the public vector A_(i) and the confidential vector X_(j) ofeach subgroup have the following relationship: $\begin{matrix}{{X_{j} \times A_{i}^{T}} = \left\{ \begin{matrix}{k_{i},} & {{{if}\mspace{14mu} j} = {{i\mspace{14mu}{or}\mspace{14mu} V_{j}} \in {P(i)}}} \\{0,} & {V_{j} \notin {{{P(i)}\mspace{14mu}{and}\mspace{14mu} j} \neq i}}\end{matrix} \right.} & (1)\end{matrix}$ wherein, i=1, . . . , n and j=1, . . . , n; and whereinX=(X₁, X₂, . . . , X_(n))^(T), K_(i)=(c_(i,1), c_(i,2), . . . ,c_(i,n))^(T), $c_{i,j} = \left\{ \begin{matrix}{k_{i},} & {{{if}\mspace{14mu} j} = {{i\mspace{14mu}{or}\mspace{14mu} V_{j}} \in {P(i)}}} \\{0,} & {{V_{j} \notin {{{P(i)}\mspace{14mu}{and}\mspace{14mu} j} \neq i}},}\end{matrix} \right.$ wherein the equation (1) is converted into:X×A _(i) ^(T) =K _(i)  (2) let A=(A₁ ^(T), A₂ ^(T), . . . , A_(n) ^(T)),K=(K₁, K₂, . . . , K_(n)), such that for all subgroups V_(i) it isobtained that:X×A=K  (3) solving, by the central controller, the system of equations(3) wherein the system of equations (3) has a unique solution since thelinear independence of X₁, X₂, . . . , X_(n) guarantees the coefficientmatrix determinant |X|≠0, and wherein A is the public matrix solved;broadcasting or multicasting the public matrix A=(A₁ ^(T), A₂ ^(T), . .. , A_(n) ^(T)) and the mapping parameter r by the central controller toall the subgroup controllers via open channel; receiving, by eachsubgroup controller, the public matrix A=(A₁ ^(T), A₂ ^(T), . . . ,A_(n) ^(T)) and the mapping parameter r, calculating, by the subgroupcontroller, X_(i)=(x_(i,1), x_(i,2), . . . , x_(i,n)) via the mapping f:x_(i, 1) = f(z_(i, 1), r) x_(i, 2) = f(z_(i, 2), r)… , x_(i, n) = f(z_(i, n), r); calculating, by each subgroup controller:k _(i) =X _(i) ×A _(i) ^(T) =x _(i,1) a _(i,1) +x _(i,2) a _(i,2) + . .. +x _(i,n) a _(i,n)  (4)when j≠i, t _(j) =X _(i) ×A _(j) ^(T) =x _(j,1) a _(i,1) +x _(j,2) a_(i,2) + . . . +x _(j,n) a _(i,n)  (5) wherein i=1, n; j=1, n, P(j)represents the set of all ancestor nodes of the subgroup V_(i); andwherein if V_(i)εP(j), then t_(j)=k_(j), i.e. the group key of V_(j); orelse, t_(j)=0; each subgroup V_(i) calculates its group key or the groupkeys of its descendant nodes via the equations (4) and (5); and sending,by the subgroup controller SC_(i), the calculated k_(i) and t_(j) (j≠i)to each group member.
 3. The computer-enabled method of claim 1, furthercomprising: when new subgroups join in, assigning and sending, by thecentral controller, a serial number to each new subgroup controller;selecting, by the central controller, a N-dimensional private vectorover the finite field F for each new subgroup; sending, by the centralcontroller, the N-dimensional private vector to the correspondingsubgroup controller via secure channel; receiving and storing andkeeping secret, by the new subgroup controller, the N-dimensionalprivate vector of each new group member sent by the central controller;and sending, by the central controller, the finite field F, the constantN, and the mapping f to the new subgroup controller.
 4. Thecomputer-enabled method of claim 1, further comprising: when subgroupsneed to leave, applying, by each subgroup member that needs to leave, tothe central group controller for leaving the group; deleting, by thecentral group controller, the private vectors of the leaving subgroups;reassigning, by the central group controller, serial numbers accordingto the size order of the subscripts of the current subgroup members, andsending, by the central group controller, the serial numbers to allsubgroup controllers by broadcasting or multicasting.
 5. Acomputer-enabled method of managing group keys based on linear geometry,comprising the following steps: selecting a mapping f and a finite fieldF, by the central controller, for use by a group, wherein allcomputations in the group are performed over the finite field F;determining a constant m, by the central controller; sending the finitefield F, the constant m and the mapping f, by the central controller, toall subgroup controllers; upon determining the group has n subgroups,assigning, by the central controller, a serial number for each subgroup;sending, by the central controller, each serial number to thecorresponding subgroup controller; selecting, by the central controller,selects a m-dimensional private vector and a two-dimensional privatevector randomly for each subgroup; sending, by the central controller,the m-dimensional private vector and the two-dimensional private vectorto each subgroup controller correspondingly via secure channel;receiving and storing and keeping secret, by the subgroup controllers,the m-dimensional private vectors and the two-dimensional privatevectors, wherein m and n are positive integers, and 2≦m≦n; selecting, bythe central controller, a mapping parameter r in the finite field F;mapping, by the central controller, the two-dimensional private vectorsof all the subgroup controllers into a new set of vectors by using themapping f according to the mapping parameter r; mapping, by the centralcontroller, the m-dimensional private vectors of all the subgroupcontrollers into a new set of vectors by using the mapping f accordingto the mapping parameter r; upon determining, by the central controller,that the new set of vectors is linearly dependent, reselecting themapping parameter to perform remapping, or allowing each subgroupcontroller to reselect a private vector, until the new set of vectors islinearly independent; wherein these two new sets of subgroups are calledconfidential vectors; selecting, by the central controller, a subgroupkey in the finite field F for each subgroup; constructing, by thecentral controller, n linear systems of equations according to thehierarchy relationship of the subgroups by using the confidentialvectors and the subgroup keys; calculating, by the central controller,the unique solutions of the linear systems of equations which are calledpublic vectors; wherein the confidential vectors and the public vectorsare subject to the following regulations: (1) for all the nodes, theinner product of the m-dimensional confidential vector and the publicvector of a current node itself is the group key of the current node;(2) the m-dimensional confidential vectors of lower level nodes areorthogonal to the public vectors of higher level nodes, and the innerproduct is zero; (3) if the higher level node is a parent node orancestor node of the current node, the inner product of them-dimensional confidential vector of the higher level node and thepublic vector of the current node is the indirect key; the higher levelnode further calculates the key of the descendant node via the indirectkey and the two-dimensional confidential vector of the higher level nodeitself; (4) for nodes without direct nor indirect ancestor-descendantrelationship with respect to each other, the inner product of them-dimensional confidential vector of one node and the public vector ofthe other node is zero; (5) the key of one node can not be derived bythe other node between brother nodes, and the inner product of them-dimensional confidential vector of one node and the public vector ofthe other is zero; broadcasting or multicasting, by the centralcontroller, n sets of public vectors form a public matrix, and thepublic matrix and the mapping parameter r to all the subgroupcontrollers via open channel; after receiving the public matrix and themapping parameter, mapping, by each subgroup controller, two privatevectors of its own to two new vectors called confidential vectors in avector space according to the mapping parameter; obtaining, by eachsubgroup controller, a set of key vectors by linear transformation ofthe m-dimensional confidential vector and the public matrix; obtaining,by the subgroup controller, its group key through the key vectorcalculated by itself; calculating, by the subgroup controller, the groupkeys of descendant subgroups through the two-dimensional confidentialvector and the group key of its own, wherein the descendant subgroupscan not calculate the group keys of its parent group and ancestorgroups; and distributing, by the subgroup controller, the calculatedgroup keys to group members.
 6. The computer-enabled method of claim 5,wherein the method further comprises: when new subgroups join in,selecting, by the central controller, a m-dimensional private vectorZ_(i)=(z_(i,1), z_(i,2), . . . , z_(i,m)) and a two-dimensional privatevector Y_(i)=(y_(i,1),y_(i,2)) for each new subgroup controller over thefinite field F, sending, by the central controller, Z_(i) and Y_(i) tothe corresponding subgroup controller; assigning, by the centralcontroller, a serial number to each new subgroup controller, sending, bythe central controller, the serial number to all subgroup controllers;receiving and storing and keeping secret, by the new subgroupcontroller, the m-dimensional private vector and the two-dimensionalprivate vector sent by the central controller; and sending, by thecentral controller, the finite field F, the constant N, and the mappingf to the new subgroup controllers.
 7. The computer-enabled method ofclaim 5, wherein the method further comprises: when subgroups need toleave, applying, by each subgroup member that needs to leave, to thecentral group controller for leaving the group; deleting, by the centralgroup controller, the private vectors of the leaving subgroups,reassigning, by the central controller, serial numbers according to thesize order of the subscripts of the current subgroup members, andsending, by the central controller, the serial numbers to all subgroupcontrollers by broadcasting or multicasting.
 8. The computer-enabledmethod of claim 5, wherein m is
 2. 9. The computer-enabled method ofclaim 5, the method further comprising: if no group member joins in orleaves the group for a preset period of time, updating, by the groupcontroller, the group key of each subgroup periodically; reselecting, bythe group controller, a new private vector for each subgroup; sending,by the group controller, the new private vector to the correspondingsubgroup controller, receiving and storing and keeping secret, by thesubgroup controller, the new private vector; reselecting, by the centralcontroller, the mapping parameter and the group key of each subgroup;calculating, by the central controller, the public matrix; andbroadcasting or multicasting, by the central controller, the publicmatrix and the mapping parameter to all subgroup controllers via openchannel.
 10. The computer-enabled method of claim 1, the method furthercomprising: if no group member joins in or leaves the group for a presetperiod of time, updating, by the group controller, the group key of eachsubgroup periodically; reselecting, by the group controller, a newprivate vector for each subgroup; sending, by the group controller, thenew private vector to the corresponding subgroup controller, receivingand storing and keeping secret, by the subgroup controller, the newprivate vector; reselecting, by the central controller, the mappingparameter and the group key of each subgroup; calculating, by thecentral controller, the public matrix; and broadcasting or multicasting,by the central controller, the public matrix and the mapping parameterto all subgroup controllers via open channel.
 11. The computer-enabledmethod of claim 5, wherein the subgroup controllers are SC_(i), andwherein the m-dimensional private vector is Z_(i)=(z_(i,1), z_(i,2), . .. , z_(i,m)), and wherein the two-dimensional private vector isY_(i)=(y_(i,1),y_(i,2)) over the finite filed F for each subgroup V_(i),and wherein the serial number SC_(i) is sent to all the subgroupcontrollers by broadcasting or multicasting, and wherein i=1, . . . , n,and wherein the central controller selects the mapping parameter r inthe finite field F randomly, and maps the private vectors Z_(i) of allthe subgroups into a new set of vectors X_(i) by using the mapping f,the method further comprising: mapping, by the central controller, theprivate vectors Y_(i) of all the subgroups into a new set of vectorsW_(i), wherein X_(i) and W_(i) are called confidential vectors, wherein:$\begin{matrix}{{{{for}\mspace{14mu}{all}\mspace{14mu}{subgroups}\mspace{14mu}{SC}_{i}},{i = 1},\ldots\;,n,{{{the}\mspace{14mu}{vector}\mspace{14mu} W_{i}} = {{\left( {w_{i,1},w_{i,2}} \right):w_{i\; 1}} = {f\left( {y_{i,1},r} \right)}}}}{w_{i\; 2} = {f\left( {y_{i,2},r} \right)}}} & (1) \\{{{{{{for}\mspace{14mu} i} = 1},\ldots\;,m,{X_{i} = {{\left( {x_{i,1},\ldots\;,x_{i,m},0,\ldots\;,0} \right):x_{i,1}} = {f\left( {z_{i,1},r} \right)}}}}\ldots x_{i,m} = {f\left( {z_{i,m},r} \right)}}{{{{let}\mspace{14mu} x_{i,{m + 1}}} = {\ldots = {x_{i,n} = 0}}};}} & (2) \\{{{{{{for}\mspace{14mu} i} = {m + 1}},\ldots\;,n,{X_{i} = \left( {x_{i,1},x_{i,2},\ldots\;,x_{i,{m - 1}},{0\ldots}\;,0_{x_{i,i}},0,\ldots\;,0} \right)}}{x_{i,1} = {f\left( {z_{i,1},r} \right)}}\ldots{x_{i,{m - 1}} = {f\left( {z_{i,{m - 1}},r} \right)}}x_{i,i} = {f\left( {z_{i,m},r} \right)}}{{{{let}\mspace{14mu} x_{i,m}} = {\ldots = {x_{i,{i - 1}} = 0}}},{{x_{i,{i + 1}} = {\ldots = {x_{i,n} = 0}}};}}} & (3)\end{matrix}$ obtaining, by central controller, obtains a set ofn-dimensional vectors consisting of X_(i) over the finite field F:X₁ = (x_(1, 1), x_(1, 2), … , x_(1, n))X₂ = (x_(2, 1), x_(2, 2), … , x_(2, n)) … X_(n) = (x_(n, 1), x_(n, 2), … , x_(n, n)); upon determining that X₁,X₂, . . . , X_(n) are linearly dependent, reselecting the mappingparameter and remapping, by the central controller, or allowing thesubgroup controller to reselect a private vector until the new set ofvectors are linearly independent; wherein the group key is k_(i,i)=1, .. . , n, for each subgroup V_(i); and wherein for any subgroupcontroller SC_(i)=1, . . . , n, suppose its the public vectorA_(i)=(a_(i,1),a_(i,2), . . . a_(i,n)) is an unknown parameter, andC(V_(i)) is used to represent the set of all descendant groups of thesubgroup controller SC_(i), and the public vector A_(i) and theconfidential vector X_(i) of each subgroup have the followingrelationship:X _(i) ×A _(i) ^(T) =k _(i,i) wherein V_(j)εC(V_(i)), i.e. V_(j)(j=1, .. . , n) is the direct or indirect descendant group of V_(i) and j≠i,and A_(j), X_(i), W_(i) and X_(j) have the following relationship:$\begin{matrix}\left\{ \begin{matrix}{{X_{j} \times A_{j}^{T}} = k_{j,j}} \\{{X_{i} \times A_{j}^{T}} = k_{i,j}} \\{{W_{i} \times \left( {k_{i,i},k_{i,j}} \right)^{T}} = k_{j,j}}\end{matrix} \right. & (6)\end{matrix}$ and wherein: $\begin{matrix}{{X_{i} \times A_{j}^{T}} = {k_{i,j} = \left\{ \begin{matrix}{k_{i,i},} & {j = i} \\{{\left( {k_{j,j} - {w_{i,1}k_{i,i}}} \right)w_{i,2}^{- 1}},} & {{j \neq {i\bigcap V_{j}}} \in {C\left( V_{i} \right)}} \\{0,} & {{j \neq {i\bigcap V_{j}}} \notin {C\left( V_{i} \right)}}\end{matrix} \right.}} & (7)\end{matrix}$ wherein, i=1, . . . , n, and wherein X=(X₁, X₂, . . . ,X_(n)), K_(i)=(k_(i,1), k_(i,2), . . . , k_(i,n))^(T), and the equation(7) is transformed into:X×A ^(T) =K _(i) wherein A=(A₁ ^(T), A₂ ^(T), . . . , A_(n) ^(T)) K=(K₁,K₂, . . . , K_(n)), and for all V_(i):X×A=K  (8) the equation (8) is written in the form of a system ofequations: ${\left\lbrack \begin{matrix}x_{1,1} & x_{1,2} & \ldots & x_{1,n} \\x_{2,1} & x_{2,2} & \ldots & x_{2,n} \\\ldots & \ldots & \ldots & \ldots \\x_{n,1} & x_{n,2} & \ldots & x_{n,n}\end{matrix} \right\rbrack \times \left\lbrack \begin{matrix}a_{1,1} & a_{2,1} & \ldots & a_{n,1} \\a_{1,2} & a_{2,2} & \ldots & a_{n,2} \\\ldots & \ldots & \ldots & \ldots \\a_{1,n} & a_{2,n} & \ldots & a_{n,n}\end{matrix} \right\rbrack} = {\quad\left\lbrack \begin{matrix}k_{1,1} & k_{1,2} & \ldots & k_{1,n} \\k_{2,1} & k_{2,2} & \ldots & k_{2,n} \\\ldots & \ldots & \ldots & \ldots \\k_{n,1} & k_{n,2} & \ldots & k_{n,n}\end{matrix} \right\rbrack}$ and wherein the system of equations (8) hasa unique solution: A=X⁻¹K, since the coefficient matrix determinant|X|≠0, and A is the public matrix solved; and wherein the mappingparameter r and the matrix A=(A₁ ^(T), A₂ ^(T), . . . , A_(n) ^(T)) arebroadcasted or multicasted by the central controller to all the subgroupcontrollers via open channel; and wherein each subgroup controllerSC_(i) calculates W_(i) and X_(i) according to the serial number i ofits own and the mapping f: $\begin{matrix}{{{{{for}\mspace{14mu}{all}\mspace{14mu}{the}\mspace{14mu} i} = 1},\ldots\;,n,{W_{i} = \left( {w_{i,1},w_{i,2}} \right)}}{w_{i,1} = {f\left( {y_{i,1},r} \right)}}{w_{i,2} = {f\left( {y_{i,2},r} \right)}}} & (1) \\{{{{{{for}\mspace{14mu} i} = 1},\ldots\;,m,{X_{i} = {{\left( {x_{i,1},\ldots\;,x_{i,m},0,\ldots\;,0} \right):x_{i,1}} = {f\left( {z_{i,1},r} \right)}}}}\ldots x_{i,m} = {f\left( {z_{i,m},r} \right)}}{{{{let}\mspace{14mu} x_{i,{m + 1}}} = {\ldots = {x_{i,n} = 0}}};}} & (2) \\{{{{{{for}\mspace{14mu} i} = {m + 1}},\ldots\;,n,{X_{i} = \left( {x_{i,1},x_{i,2},\ldots\;,x_{i,{m - 1}},{0\ldots}\;,0_{x_{i,i}},0,\ldots\;,0} \right)}}{x_{i,1} = {f\left( {z_{i,1},r} \right)}}\ldots{x_{i,{m - 1}} = {f\left( {z_{i,{m - 1}},r} \right)}}x_{i,i} = {f\left( {z_{i,m},r} \right)}}{{{{let}\mspace{14mu} x_{i,m}} = {\ldots = {x_{i,{i - 1}} = 0}}},{{x_{i,{i + 1}} = {\ldots = {x_{i,n} = 0}}};}}{{{then}\mspace{14mu}{calculate}},{{{for}\mspace{14mu}{all}\mspace{14mu}{the}\mspace{14mu} j} = 1},\ldots\;,n,}} & (3) \\{k_{i,j} = \left\{ \begin{matrix}{{{X_{i} \times A_{j}^{T}} = {{x_{i,1}a_{j,1}} + \ldots + {x_{i,m}a_{j,m}}}},} & {i \leq m} \\{{{X_{i} \times A_{j}^{T}} = {{x_{i,1}a_{j,1}} + \ldots + {x_{i,{m - 1}}a_{j,{m - 1}}} + x_{i,i}}},a_{j,i},} & {i > m}\end{matrix} \right.} & (9)\end{matrix}$ and wherein if j=i, k_(ij)=k_(i,i), i.e. the key of thesubgroup V_(i) itself; if j≠i, the subgroup controller SC_(i) continuesto calculate k_(j,j) if k_(i,j)≠0:k _(j,j) =w _(i,1) ×k _(i,i) +w _(i,2) ×k _(i,j)  (10) and wherein eachsubgroup controller SC_(i) calculates the key k_(i,i), and the keyk_(j,j) of each descendant subgroup via the equations (9) and (10); andwherein the subgroup controller SC_(i) distributes the k_(i,i) andk_(j,j) (j=1, . . . , n and j≠i) calculated to each group member.
 12. Anon-transitory computer-readable storage medium comprisingcomputer-executable instructions for managing group keys based on lineargeometry, the computer-executable instructions comprising instructionsfor: selecting a mapping f and a finite field F, by a centralcontroller, for use by a group, wherein all computations in the groupare performed over the finite field F; determining a constant N, by thecentral controller, to be used as an upper limit of the number ofsubgroups (n); sending the finite field F, the constant N, and themapping f, by the central controller, to subgroup controllers; assigninga serial number, by the central controller, for each subgroup; sendingeach serial number, by the central controller, to each subgroupcontroller; selecting a N-dimensional private vector randomly, by thecentral controller, for each subgroup; sending each N-dimensionalprivate vector, by the central controller, to each subgroup controllercorrespondingly via secure channel; receiving and storing and keepingsecret the N-dimensional private vectors, by the subgroup controllers,from the central controller, wherein N and n are positive integers, andn≦N; selecting a mapping parameter r in the finite field F, by thecentral controller; mapping, by the central controller, the privatevectors of all the subgroup controllers into a new set of vectors calledconfidential vectors in a vector space by using the mapping f accordingto the mapping parameter r; determining, by the controller, if the newset of vectors is linearly dependent; reselecting, by the controller,the mapping parameter to perform remapping; selecting a subgroup key inthe finite field F for each subgroup, by the central controller;constructing, by the central controller, n linear systems of equationsaccording to the hierarchy relationship of the subgroups by using theconfidential vectors and the subgroup keys; calculating, by the centralcontroller, the unique solutions of the linear systems of equationswhich are called public vectors, wherein the confidential vectors oflower level nodes are orthogonal to the public vectors of higher levelnodes, and wherein the inner product is zero, and wherein for all thenodes, the inner product of the confidential vector and the publicvector of a current node itself is the group key of the current node,and wherein when the higher level node is a parent node or ancestor nodeof the current node, and wherein the inner product of the confidentialvector of the higher level node and the public vector of the currentnode is the group key of the current node, and wherein the inner productof the confidential vector of the higher level node and the publicvector of a descendant node is the group key of the descendant node, andwherein for nodes without direct nor indirect ancestor-descendantrelationship with respect to each other, the inner product of theconfidential vector of one node and the public vector of the other nodeis zero, and wherein the key of one node can not be derived by the othernode between brother nodes, and the inner product of the confidentialvector of one node and the public vector of the other node is zero;broadcasting or multicasting a public matrix and the mapping parameterr, by the central controller, to all the subgroup controllers via openchannel, wherein the public matrix is formed by n sets of publicvectors; receiving, by each subgroup controller, the public matrix andthe mapping parameter; mapping, by each subgroup controller, the privatevector of its own to a new vector in a vector space according to theparameter; solving, by each subgroup controller, a confidential vectorof its own; obtaining, by each subgroup controller, a set of key vectorsby computation of the confidential vector and the public matrix;obtaining, by the subgroup controller, its group key and the group keysof descendant subgroups through the key vector calculated by itself; anddistributing, by the subgroup controller, the group keys calculated tosubgroup members.
 13. A non-transitory computer-readable storage mediumcomprising computer-executable instructions for managing group keysbased on linear geometry, the computer-executable instructionscomprising instructions for: selecting a mapping f and a finite field F,by the central controller, for use by a group, wherein all computationsin the group are performed over the finite field F; determining aconstant m, by the central controller; sending the finite field F, theconstant m and the mapping f, by the central controller, to all subgroupcontrollers; upon determining the group has n subgroups, assigning, bythe central controller, a serial number for each subgroup; sending, bythe central controller, each serial number to the corresponding subgroupcontroller; selecting, by the central controller, a m-dimensionalprivate vector and a two-dimensional private vector randomly for eachsubgroup; sending, by the central controller, the m-dimensional privatevector and the two-dimensional private vector to each subgroupcontroller correspondingly via secure channel; receiving and storing andkeeping secret, by the subgroup controllers, the m-dimensional privatevectors and the two-dimensional private vectors, wherein m and n arepositive integers, and 2≦m≦n; selecting, by the central controller, amapping parameter r in the finite field F; mapping, by the centralcontroller, the two-dimensional private vectors of all the subgroupcontrollers into a new set of vectors by using the mapping f accordingto the mapping parameter r; mapping, by the central controller, them-dimensional private vectors of all the subgroup controllers into a newset of vectors by using the mapping f according to the mapping parameterr; upon determining, by the central controller, that the new set ofvectors is linearly dependent, reselecting the mapping parameter toperform remapping, or allowing each subgroup controller to reselect aprivate vector, until the new set of vectors is linearly independent;wherein these two new sets of subgroups are called confidential vectors;selecting, by the central controller, a subgroup key in the finite fieldF for each subgroup; constructing, by the central controller, n linearsystems of equations according to the hierarchy relationship of thesubgroups by using the confidential vectors and the subgroup keys;calculating, by the central controller, the unique solutions of thelinear systems of equations which are called public vectors; wherein theconfidential vectors and the public vectors are subject to the followingregulations: (1) for all the nodes, the inner product of them-dimensional confidential vector and the public vector of a currentnode itself is the group key of the current node; (2) the m-dimensionalconfidential vectors of lower level nodes are orthogonal to the publicvectors of higher level nodes, and the inner product is zero; (3) if thehigher level node is a parent node or ancestor node of the current node,the inner product of the m-dimensional confidential vector of the higherlevel node and the public vector of the current node is the indirectkey; the higher level node further calculates the key of the descendantnode via the indirect key and the two-dimensional confidential vector ofthe higher level node itself; (4) for nodes without direct nor indirectancestor-descendant relationship with respect to each other, the innerproduct of the m-dimensional confidential vector of one node and thepublic vector of the other node is zero; (5) the key of one node cannotbe derived by the other node between brother nodes, and the innerproduct of the m-dimensional confidential vector of one node and thepublic vector of the other is zero; broadcasting or multicasting, by thecentral controller, n sets of public vectors form a public matrix, andthe public matrix and the mapping parameter r to all the subgroupcontrollers via open channel; after receiving the public matrix and themapping parameter, mapping, by each subgroup controller, two privatevectors of its own to two new vectors called confidential vectors in avector space according to the mapping parameter; obtaining, by eachsubgroup controller, a set of key vectors by linear transformation ofthe m-dimensional confidential vector and the public matrix; obtaining,by the subgroup controller, its group key through the key vectorcalculated by itself; calculating, by the subgroup controller, the groupkeys of descendant subgroups through the two-dimensional confidentialvector and the group key of its own, wherein the descendant subgroupscan not calculate the group keys of its parent group and ancestorgroups; and distributing, by the subgroup controller, the calculatedgroup keys to group members.